[Bro] New installation crashes appear to be ssh-related
robin at icir.org
Tue Mar 31 08:42:24 PDT 2015
Thanks for filing the ticket. For the core, actually what would be
most helpful right now I believe is a stack backtrace. Your crash
report didn't have that, it looks like there's no gdb installed. Can
you install gdb and then run "gdb bro core" + "bt" as described here:
For the core itself, I think the best thing might be to hold on to it
for now, just the core won't be useful for others much anyways, as one
also needs to the binary and potentially a similar system to use it.
So if you could keep binary and core somewhere until this is resolved,
that would be best for now.
On Mon, Mar 30, 2015 at 23:54 +0000, you wrote:
> I submitted a ticket, 1361. It won't let me attach the core dump as it's too big. How do I upload that?
> -----Original Message-----
> From: Robin Sommer [mailto:robin at icir.org]
> Sent: Monday, March 30, 2015 10:39 AM
> To: Llewellyn, Ted
> Cc: bro at bro.org
> Subject: Re: [Bro] New installation crashes appear to be ssh-related
> Ted, mind filing a ticket so that we track this one?
> On Sun, Mar 29, 2015 at 15:12 +0000, you wrote:
> > We have a new Bro installation, built from source on Debian wheezy, that keeps core dumping. It looks like it's choking on some code related to ssh. Here is the diag for the latest crash. It is identical to the other one I have:
> > [BroControl] > diag
> > [bro]
> > Bro 2.3-633
> > Linux 3.2.0-4-686-pae
> > No gdb installed.
> > ==== No reporter.log
> > ==== stderr.log
> > listening on eth1, capture length 8192 bytes
> > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
> > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@"
> > ==== stdout.log
> > max memory size (kbytes, -m) unlimited
> > data seg size (kbytes, -d) unlimited
> > virtual memory (kbytes, -v) unlimited
> > core file size (blocks, -c) unlimited
> > ==== .cmdline
> > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p
> > bro local.bro broctl broctl/standalone broctl/auto
> > ==== .env_vars
> > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local
> > /bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr
> > /local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/sh
> > are/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> > CLUSTER_NODE=
> > ==== .status
> > RUNNING [net_run]
> > ==== No prof.log
> > ==== No packet_filter.log
> > ==== No loaded_scripts.log
> > [BroControl] >
> > This is just running the default setup, with the local subnets
> > configured, as we are just starting with Bro. This is a really low end server, but the capture interface is only running at 100 meg so there are really no resource issues. (Yes, this is a 32-bit box. It's pretty old. That's why I built from source.) The first crash occurred after a few minutes. Then it ran for nearly 24 hours before this crash. Is there something I can tweak to prevent this?
> > Thanks,
> > Ted Llewellyn
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro