[Bro] New installation crashes appear to be ssh-related

Vlad Grigorescu vlad at grigorescu.org
Sun Mar 29 18:30:54 PDT 2015


Hi Ted,

Thanks for reporting this. I'll look into it.

  --Vlad

On Sun, Mar 29, 2015 at 10:12 AM, Llewellyn, Ted <Ted.Llewellyn at ftr.com>
wrote:

>  We have a new Bro installation, built from source on Debian  wheezy,
> that keeps core dumping. It looks like it’s choking on some code related to
> ssh. Here is the diag for the latest crash. It is identical to the other
> one I have:
>
>
>
> [BroControl] > diag
>
> [bro]
>
>
>
> Bro 2.3-633
>
> Linux 3.2.0-4-686-pae
>
>
>
> No gdb installed.
>
>
>
> ==== No reporter.log
>
>
>
> ==== stderr.log
>
> listening on eth1, capture length 8192 bytes
>
>
>
> bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int
> binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr,
> binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion
> `t_dataptr_after_cookie <= t_end_of_data' failed.
>
> /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307
> Aborted                 (core dumped) nohup "$mybro" "$@"
>
>
>
> ==== stdout.log
>
> max memory size         (kbytes, -m) unlimited
>
> data seg size           (kbytes, -d) unlimited
>
> virtual memory          (kbytes, -v) unlimited
>
> core file size          (blocks, -c) unlimited
>
>
>
> ==== .cmdline
>
> -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro
> local.bro broctl broctl/standalone broctl/auto
>
>
>
> ==== .env_vars
>
>
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>
>
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
>
> CLUSTER_NODE=
>
>
>
> ==== .status
>
> RUNNING [net_run]
>
>
>
> ==== No prof.log
>
>
>
> ==== No packet_filter.log
>
>
>
> ==== No loaded_scripts.log
>
> [BroControl] >
>
>
>
> This is just running the default setup, with the local subnets configured,
> as we are just starting with Bro. This is a really low end server, but the
> capture interface is only running at 100 meg so there are really no
> resource issues. (Yes, this is a 32-bit box. It’s pretty old. That’s why I
> built from source.)
>
> The first crash occurred after a few minutes. Then it ran for nearly 24
> hours before this crash. Is there something I can tweak to prevent this?
>
>
>
> Thanks,
>
> Ted Llewellyn
>
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150329/a31afc4e/attachment.html 


More information about the Bro mailing list