Hi Scott,<br><br>Here's the last part of result in trace<br><br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:102 event called: rotate_interval(f = 'file "weird.log" of string')<br>
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99 Builtin Function called: bro_is_terminating()<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99 Function return: T
<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:71 function called: RotateLogs::rotate(f = 'file "weird.log" of s<br>tring')<br>1189307168.792985 /usr/local/stow/bro-1.3.2
/policy/rotate-logs.bro:66 Builtin Function called: rotate_file(f = 'file "weird.<br>log" of string')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:66 Function return: [old_name=
weird.log, new_name=weird.l<br>og.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 function called: RotateLogs::run_pp(info = '[old_name=
<br>weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 function called: RotateLogs::build_name(info =
<br> '[old_name=weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Builtin Function called: strftime(fmt
<br>= '%y-%m-%d_%H.%M.%S', d = '1190089477.64701')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return: 07-09-18_12.24.37<br>1189307168.792985
/usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Builtin Function called: fmt(va_args =<br> '%s-%s', vararg0 = 'weird.log', vararg1 = '07-09-18_12.24.37')<br>1189307168.792985
/usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return: weird.log-07-09-18_12<br>.24.37<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return:
weird.log-07-09-18_12.24.37<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Builtin Function called: fmt(va_args = '/bin/m<br>v %s %s', vararg0 = 'weird.log.27507.1189307168.792985.tmp
', vararg1 = 'weird.log-07-09-18_12.24.37')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Function return: /bin/mv weird.log.27507.11893<br>07168.792985.tmp
weird.log-07-09-18_12.24.37<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Builtin Function called: system(str = '/bin/mv<br> weird.log.27507.1189307168.792985.tmp
weird.log-07-09-18_12.24.37')<br>1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Function return: 0<br><br><br><br><div><span class="gmail_quote">On 9/18/07, <b class="gmail_sendername">
scott campbell</b> <<a href="mailto:scampbell@lbl.gov">scampbell@lbl.gov</a>> wrote:</span><blockquote class="gmail_quote" style="margin-top: 0; margin-right: 0; margin-bottom: 0; margin-left: 0; margin-left: 0.80ex; border-left-color: #cccccc; border-left-width: 1px; border-left-style: solid; padding-left: 1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>I have seen a similar problem with InstallRotateTimer when bro is<br>exiting (ie with bro.rc --checkpoint) on FreeBSD 6.2, but not at<br>startup. You might get a little better information if you start up the
<br>instance with the trace option (-t <file>) which will let you know<br>exactly what the policy side is doing.<br><br><br>scott<br>CS Lee wrote:<br>> Hi,<br>><br>> We have installed bro 1.3.2(expect the edge ;]) on Ubuntu
7.04 without much<br>> hassles, and we are currently practicing on writing the bro script, but<br>> during the loading of brolite policy script, the bro crashed<br>> with segmentation fault. It goes in this way -
<br>><br>> gdb bro<br>> GNU gdb 6.6-debian<br>> Copyright (C) 2006 Free Software Foundation, Inc.<br>> GDB is free software, covered by the GNU General Public License, and you are<br>> welcome to change it and/or distribute copies of it under certain
<br>> conditions.<br>> Type "show copying" to see the conditions.<br>> There is absolutely no warranty for GDB. Type "show warranty" for details.<br>> This GDB was configured as "i486-linux-gnu"...
<br>> Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".<br>><br>> (gdb) run -r ../fl0p-skype-sig.pcap brolite<br>> Starting program: /usr/local/bin/bro -r ../fl0p-skype-sig.pcap
brolite<br>><br>> Program received signal SIGSEGV, Segmentation fault.<br>> 0x086a67d7 in ?? ()<br>> (gdb) backtrace<br>> #0 0x086a67d7 in ?? ()<br>> #1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at
File.cc:562<br>> #2 0x080de5f8 in BroFile::Open (this=0x8990480, file=0x891c218) at File.cc<br>> :192<br>> #3 0x080df663 in BroFile::Rotate (this=0x8990480) at File.cc:528<br>> #4 0x080f8314 in bro_rotate_file (frame=0x88b1598, BiF_ARGS=0x8a5b5c8) at
<br>> bro.bif:2393<br>> #5 0x080e8a4d in BuiltinFunc::Call (this=0x8362020, args=0x8a5b5c8,<br>> parent=0x88b1598) at Func.cc:467<br>> #6 0x080da56c in CallExpr::Eval (this=0x8a2b3f0, f=0x88b1598) at Expr.cc<br>
> :4501<br>> #7 0x080c4a5f in AssignExpr::Eval (this=0x8a2b200, f=0x88b1598) at Expr.cc<br>> :2562<br>> #8 0x08179cdc in ExprStmt::Exec (this=0x8a2b590, f=0x88b1598,<br>> flow=@0xbff49924) at Stmt.cc:395<br>
> #9 0x081756c9 in StmtList::Exec (this=0x8a2b020, f=0x88b1598,<br>> flow=@0xbff49924) at Stmt.cc:1391<br>> #10 0x080e8e24 in BroFunc::Call (this=0x8a2bc58, args=0x8a5c258,<br>> parent=0x88aca08) at Func.cc:324
<br>> #11 0x080da56c in CallExpr::Eval (this=0x8a2f820, f=0x88aca08) at Expr.cc<br>> :4501<br>> #12 0x08179cdc in ExprStmt::Exec (this=0x8a2f880, f=0x88aca08,<br>> flow=@0xbff49a74) at Stmt.cc:395<br>> #13 0x081756c9 in StmtList::Exec (this=0x8a2f118, f=0x88aca08,
<br>> flow=@0xbff49a74) at Stmt.cc:1391<br>> #14 0x080e8e24 in BroFunc::Call (this=0x8a2f8e0, args=0x828d698, parent=0x0)<br>> at Func.cc:324<br>> #15 0x080a8cf6 in EventHandler::Call (this=0x8a2f9b0, vl=0x828d698,
<br>> no_remote=true) at EventHandler.cc:64<br>> #16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59<br>> #17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017<br>><br>> (gdb) frame 1
<br>> #2 0x080de4a7 in BroFile::InstallRotateTimer (this=0x837c5f8) at File.cc:562<br>> 562 timer_mgr->Add(rotate_timer);<br>> (gdb) frame 2<br>> #3 0x080de5f8 in BroFile::Open (this=0x837c5f8, file=0x837c720) at
File.cc<br>> :192<br>> 192 InstallRotateTimer();<br>> (gdb) frame 3<br>> #4 0x080df663 in BroFile::Rotate (this=0x837c5f8) at File.cc:528<br>> 528 Open(newf);<br>> (gdb) frame 4<br>> #5 0x080f8314 in bro_rotate_file (frame=0x84e79e0, BiF_ARGS=0x84e5f10) at
<br>> bro.bif:2393<br>> 2393 RecordVal* info = f->Rotate();<br>><br>> This lead us to believe something wrong with the log rotation(time issue),<br>> therefore we tried running bro with this<br>><br>> bro -r
fl0p-skype-sig.pcap tcp rotate-logs<br>><br>> Immediately it crashes, and if we disable the log rotation in brolite,<br>> everything goes fine. Looking at our pcap file metadata -<br>><br>> capinfos fl0p-skype-sig.pcapFile
<br>> name: fl0p-skype-sig.pcap<br>> File type: Wireshark/tcpdump/... - libpcap<br>> Number of packets: 368874<br>> File size: 75144608 bytes<br>> Data size: 69242600 bytes<br>> Capture duration: 3892.835282
seconds<br>> Start time: Sun Sep 9 10:02:58 2007<br>> End time: Sun Sep 9 11:07:51 2007<br>> Data rate: 17787.19 bytes/s<br>> Data rate: 142297.52 bits/s<br>> Average packet size: 187.71 bytes<br>><br>> So this pcap timeline span is around 1 hour, we tune the interval of the log
<br>> rotation and it may crash in different points and that seems to be the time<br>> issue.<br>><br>> Btw, we don't have such issue when using bro-1.2 on MacOSX, Gentoo and<br>> bro-1.3.2 on FreeBSD 6.2
.<br>><br>> Thanks.<br>><br>><br>><br>><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>
> Bro mailing list<br>> <a href="mailto:bro@bro-ids.org">bro@bro-ids.org</a><br>> <a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br><br>-----BEGIN PGP SIGNATURE-----
<br>Version: GnuPG v1.2.6 (GNU/Linux)<br>Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org</a><br><br>iD8DBQFG70w4K2Plq8B7ZBwRArP8AKCv3j3B6OdYUuvNKI5hsUGibSMv4wCeJ7e4<br>SunJ7vjlH+urau1+KqPXUs8=
<br>=vfny<br>-----END PGP SIGNATURE-----<br></blockquote></div><br><br clear="all"><br>-- <br>Best Regards,<br><br>CS Lee<geekooL[at]gmail.com>