[Bro] New installation crashes appear to be ssh-related
vlad at grigorescu.org
Mon Mar 30 08:05:54 PDT 2015
Also, do you happen to have a core dump of this? It would help with
To answer your question about BinPAC - BinPAC is a Binary Protocol Analyzer
Compiler. Some analyzers in Bro are written in a language that BinPAC will
compile to C++. When you compile Bro, this compilation happens, and then
that C++ code gets compiled with the rest of Bro. So, it's not really a
plugin - you could technically build Bro without BinPAC, but in practice,
you wouldn't want to do that.
Hope that makes sense,
On Mon, Mar 30, 2015 at 9:39 AM, Robin Sommer <robin at icir.org> wrote:
> Ted, mind filing a ticket so that we track this one?
> On Sun, Mar 29, 2015 at 15:12 +0000, you wrote:
> > We have a new Bro installation, built from source on Debian wheezy,
> that keeps core dumping. It looks like it's choking on some code related to
> ssh. Here is the diag for the latest crash. It is identical to the other
> one I have:
> > [BroControl] > diag
> > [bro]
> > Bro 2.3-633
> > Linux 3.2.0-4-686-pae
> > No gdb installed.
> > ==== No reporter.log
> > ==== stderr.log
> > listening on eth1, capture length 8192 bytes
> > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int
> binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion
> `t_dataptr_after_cookie <= t_end_of_data' failed.
> > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted
> (core dumped) nohup "$mybro" "$@"
> > ==== stdout.log
> > max memory size (kbytes, -m) unlimited
> > data seg size (kbytes, -d) unlimited
> > virtual memory (kbytes, -v) unlimited
> > core file size (blocks, -c) unlimited
> > ==== .cmdline
> > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p
> bro local.bro broctl broctl/standalone broctl/auto
> > ==== .env_vars
> > CLUSTER_NODE=
> > ==== .status
> > RUNNING [net_run]
> > ==== No prof.log
> > ==== No packet_filter.log
> > ==== No loaded_scripts.log
> > [BroControl] >
> > This is just running the default setup, with the local subnets
> configured, as we are just starting with Bro. This is a really low end
> server, but the capture interface is only running at 100 meg so there are
> really no resource issues. (Yes, this is a 32-bit box. It's pretty old.
> That's why I built from source.)
> > The first crash occurred after a few minutes. Then it ran for nearly 24
> hours before this crash. Is there something I can tweak to prevent this?
> > Thanks,
> > Ted Llewellyn
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro