[Bro] crash with std::bad_alloc

Peter Wurzinger pw at seclab.tuwien.ac.at
Wed Nov 5 09:22:44 PST 2008


I am running my own bro policy script (bro 1.4, debian lenny), together 
with a set of signatures that should be matched. After a few hours of 
runtime bro always and repeatably crashes, with the following error message:

terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc

Bit by bit I stripped parts from my script in order to find the critical
part, and I ended up with a script as trivial as:

@load conn
@load notice
@load notice-action-filters

redef use_connection_compressor = F;
redef capture_filters = {["ALL"] = ""};
redef dpd_match_only_beginning = F;
redef local_nets[...];

redef signature_files += "./my_signatures.sig";

The critical part seems to be the signature matching. When including my
signatures, the error occurs. When outcommenting the last redef line, it
works without crashing (at least for a much longer time until I
terminate it deliberately, I cannot be totally sure that it hadn't 
crashed later). Note, that I don't even handle the signature
matches anymore, still the error occurs. My signature file is approx
100Kb, contains more than 600 signatures, and all of them look like:

signature xxx {
         dst-ip == local_nets
         event "xxx"
         payload /xxx/

I'd be very happy about learning what exactly causes the error, and of
course how to avoid it.


More information about the Bro mailing list