Hi,<br><br>We have installed bro 1.3.2(expect the edge ;]) on Ubuntu 7.04 without much hassles, and we are currently practicing on writing the bro script, but during the loading of brolite policy script, the bro crashed with segmentation fault. It goes in this way -
<br><br>gdb bro<br>GNU gdb 6.6-debian<br>Copyright (C) 2006 Free Software Foundation, Inc.<br>GDB is free software, covered by the GNU General Public License, and you are<br>welcome to change it and/or distribute copies of it under certain conditions.
<br>Type "show copying" to see the conditions.<br>There is absolutely no warranty for GDB. Type "show warranty" for details.<br>This GDB was configured as "i486-linux-gnu"...<br>Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
<br> <br> (gdb) run -r ../fl0p-skype-sig.pcap brolite <br>Starting program: /usr/local/bin/bro -r ../fl0p-skype-sig.pcap brolite<br><br>Program received signal SIGSEGV, Segmentation fault.<br>0x086a67d7 in ?? ()<br>(gdb) backtrace
<br>#0 0x086a67d7 in ?? ()<br>#1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at File.cc:562<br>#2 0x080de5f8 in BroFile::Open (this=0x8990480, file=0x891c218) at File.cc:192<br>#3 0x080df663 in BroFile::Rotate (this=0x8990480) at
File.cc:528<br>#4 0x080f8314 in bro_rotate_file (frame=0x88b1598, BiF_ARGS=0x8a5b5c8) at bro.bif:2393<br>#5 0x080e8a4d in BuiltinFunc::Call (this=0x8362020, args=0x8a5b5c8, parent=0x88b1598) at Func.cc:467<br>#6 0x080da56c in CallExpr::Eval (this=0x8a2b3f0, f=0x88b1598) at
Expr.cc:4501<br>#7 0x080c4a5f in AssignExpr::Eval (this=0x8a2b200, f=0x88b1598) at Expr.cc:2562<br>#8 0x08179cdc in ExprStmt::Exec (this=0x8a2b590, f=0x88b1598, flow=@0xbff49924) at Stmt.cc:395<br>#9 0x081756c9 in StmtList::Exec (this=0x8a2b020, f=0x88b1598, flow=@0xbff49924) at
Stmt.cc:1391<br>#10 0x080e8e24 in BroFunc::Call (this=0x8a2bc58, args=0x8a5c258, parent=0x88aca08) at Func.cc:324<br>#11 0x080da56c in CallExpr::Eval (this=0x8a2f820, f=0x88aca08) at Expr.cc:4501<br>#12 0x08179cdc in ExprStmt::Exec (this=0x8a2f880, f=0x88aca08, flow=@0xbff49a74) at
Stmt.cc:395<br>#13 0x081756c9 in StmtList::Exec (this=0x8a2f118, f=0x88aca08, flow=@0xbff49a74) at Stmt.cc:1391<br>#14 0x080e8e24 in BroFunc::Call (this=0x8a2f8e0, args=0x828d698, parent=0x0) at Func.cc:324<br>#15 0x080a8cf6 in EventHandler::Call (this=0x8a2f9b0, vl=0x828d698, no_remote=true) at
EventHandler.cc:64<br>#16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59<br>#17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017<br><br>(gdb) frame 1<br>#2 0x080de4a7 in BroFile::InstallRotateTimer (this=0x837c5f8) at
File.cc:562<br>562 timer_mgr->Add(rotate_timer);<br>(gdb) frame 2<br>#3 0x080de5f8 in BroFile::Open (this=0x837c5f8, file=0x837c720) at File.cc:192<br>192 InstallRotateTimer();<br>(gdb) frame 3
<br>#4 0x080df663 in BroFile::Rotate (this=0x837c5f8) at File.cc:528<br>528 Open(newf);<br>(gdb) frame 4<br>#5 0x080f8314 in bro_rotate_file (frame=0x84e79e0, BiF_ARGS=0x84e5f10) at bro.bif:2393<br>2393 RecordVal* info = f->Rotate();
<br><br> This lead us to believe something wrong with the log rotation(time issue), therefore we tried running bro with this <br> <br>bro -r fl0p-skype-sig.pcap tcp rotate-logs<br><br>Immediately it crashes, and if we disable the log rotation in brolite, everything goes fine. Looking at our pcap file metadata -
<br><br>capinfos fl0p-skype-sig.pcapFile <br>name: fl0p-skype-sig.pcap<br>File type: Wireshark/tcpdump/... - libpcap<br>Number of packets: 368874 <br>File size: 75144608 bytes<br>Data size: 69242600 bytes<br>Capture duration:
3892.835282 seconds<br>Start time: Sun Sep 9 10:02:58 2007<br>End time: Sun Sep 9 11:07:51 2007<br>Data rate: 17787.19 bytes/s<br>Data rate: 142297.52 bits/s<br>Average packet size: 187.71 bytes<br><br>So this pcap timeline span is around 1 hour, we tune the interval of the log rotation and it may crash in different points and that seems to be the time issue.
<br><br>Btw, we don't have such issue when using bro-1.2 on MacOSX, Gentoo and bro-1.3.2 on FreeBSD 6.2.<br><br>Thanks.<br><br><br><br clear="all"><br>-- <br>Best Regards,<br><br>CS Lee<geekooL[at]gmail.com><br>
<br><a href="http://geek00l.blogspot.com">http://geek00l.blogspot.com</a><br>