[Bro] smb crashing workers

Mike Kolkebeck mkolkebeck at gmail.com
Wed Mar 6 16:09:10 PST 2013

I know the smb analyzer still has a few bugs in Bro-2.1 , but is there any way to prevent/catch the bro workers from infrequently crashing (~2-3 times per day, under peak periods)?
I've included partial output from stderr.log, which I believe is a good representation of each crash output.

Also, probably a dumb question, but when a worker crashes, will it completely stop logging activity until it is restarted (by broctl cron)? I assume so. Would there be any harm in running broctl cron every minute, as opposed to 5 minutes?

Unfortunately I'm not able to identify the cause of the crash, other than bugs in the code, so any guidance or available tools to investigate the cause would also be helpful.


stderr.log excerpt:
bro: /home/xuser1/bro-2.1/build/src/smb_pac.cc:517: int binpac::SMB::SMB_unicode_string::Parse(const binpac::uint8*, const binpac::uint8*, int): Assertion `t_dataptr_after_s <= t_end_of_data' failed.
/usr/local/bro/share/broctl/scripts/run-bro: line 60: 12342 Aborted                 (core dumped) nohup $mybro $@
listening on eth2, capture length 8192 bytes

