bro dies (every day)

scott campbell scampbell at
Fri Aug 22 08:05:15 PDT 2003

Hash: SHA1

Anton Chuvakin, Ph.D. wrote:
| Vern and all,
| I reported bro dieing here before, but now (with 0.34) it happens EVERY
| DAY. I suspect the ongoing ICMP "rain" is to blame as well, since I don't
| think it was happening that often before that. As usual, there are no
| messages in the logs and no core file (ulimit is set).
| I would appreciate any hints for finding out what happens. I can send my
| policy file over, if needed.
| Best,
I experienced the same problem and tracked down a possible source of the

I took a quick look at the icmp code, and did a little testing.  During
this I noticed the following:  when *any* tracefile with icmp in it is
run through bro, there will be an exception at close time (ie after
net_done() is called).

On a trace file of ~500 icmp packets (and only icmp), the following data
was provided from the exec trace file:

0.000000 <no location>:0        event called: bro_init()

1060118249.065749 <no location>:0       event called: net_done(t =

1060118249.065749 <no location>:0       event called:
connection_state_remove(c = '[orig_h=, resp_h=,
itype=8, icode=0]')

In the info (ie stderr) file the following can be found:

1060118249.065749 <no location> ( bad tag in Val::CONVERTER

which seems to correlate with the last event logged.  Regular logged
data seems to indicate that only the last icmp packet seems to tickle
this bug.

When a single pair of icmp ping request-response are run through, the
same problem presents itself, with the 'connection_state_remove' call
getting the orig_h and resp_h IPs *backwards* with respect to the icmp
flow object defined when icmp.bro is loaded.

Loading the icmp.bro module seems not to effect this problem, although I
am seeing strange behavior with regard to some packet payload analysis
that is going on (modified icmp.bro).

If anyone has a good idea as to the location of the problem, I would be
most happy in working with them in resolving this issue.  Recently a
modified sk rootkit with an icmp backdoor was discovered at another lab,
so keeping an eye on this protocol has just been rased in priority.


scott campbell

- -----
Scott Campbell
NERSC Network Security
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the Bro mailing list