[Bro] Segmentation fault while using own signature.
fatema.bannatwala at gmail.com
Wed Jan 18 09:27:23 PST 2017
Thanks for lending some help. Appreciate it.
We are running CentOS on our bro sensors as well as on manager.
Here's the full info:
Linux sensor1.xx.xx 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.2.1511 (Core)
On Wed, Jan 18, 2017 at 12:16 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> I've run into issues with getting core dumps in the past. I documented
> some of them as comments against broala KBs, but I'm not sure where those
> exist now that it has been renamed. What OS are you running? Recalling
> from memory, there are different things that can stop successful cores
> using the afore-mentioned config depending on the platform (I think it was
> ABRT?). Happy to pull that back up again if you continue to have an issue.
> On Wed, Jan 18, 2017 at 12:03 PM fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>> Hi Seth,
>> Thanks for the suggestions, still getting No core dump:
>> $ less /etc/security/limits.conf
>> #Editing the core dump limit to unlimited for Bro debugging
>> #* soft core 0
>> * soft core unlimited
>> $ less .crash-diag.out
>> No core file found.
>> Bro 2.5
>> Linux 3.10.0-327.36.3.el7.x86_64
>> Bro plugins: (none found)
>> ==== No reporter.log
>> I will check to see what am I missing.
>> On Tue, Jan 17, 2017 at 10:58 PM, Seth Hall <seth at icir.org> wrote:
>> > On Jan 17, 2017, at 4:07 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>> > Also, I m starting bro with following commands on manager:
>> > sudo -u bro /usr/local/bro/2.5/bin/broctl install
>> > sudo -u bro /usr/local/bro/2.5/bin/broctl restart
>> > However, when seeing the crash report on the sensor, it says No core
>> file was found:
>> > (Any idea, why broctl isn't generating the core dump, or do I have to
>> include any file in local.bro for the same?)
>> Ah! I suspect the problem is that you're starting Bro as the Bro user
>> which probably doesn't have permission to increase it's maximum core file
>> size to unlimited.
>> You can edit /etc/security/limits.conf and add the following line to it...
>> * soft core unlimited
>> That should make it possible for Bro to have arbitrarily large core dumps.
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> Bro mailing list
>> bro at bro-ids.org
> Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro