[Bro-Dev] BiF parsing index types

Will baxterw3232 at gmail.com
Wed May 18 10:59:29 PDT 2011 

On Wed, May 18, 2011 at 12:01 AM, Robin Sommer <robin at icir.org> wrote:
>
> On Tue, May 17, 2011 at 11:16 -0400, you wrote:
>
>> I wasn't aware of being able to specify and print a single variable
>> from bro, as you did above, but ecstatic about how much easier that
>> will make things when troubleshooting.
>
> Are you aware of broctl's "print" command? That shows you the value of
> variable at runtime. Try running that with
> "okay_to_lookup_sensitive_hosts" to see if the broctl configuration
> gets it right.
>

No, I wasn't til now. Forgive my nubness, but what specifically are
<id> and <node>? i.e. process id of parent ps or variable name? If
standalone, would node be just bro, localhost or something completely
different?

# broctl print "okay_to_lookup_sensitive_hosts" bro

>> /usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
>> error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
>> Abort trap: 6 (core dumped)
>
> These kind of errors usually indicate trouble with the system's DNS
> setup. However, I don't think I've ever seen the "message too long"
> message.
>

So everything has been running smoothly for the last 24 hours or so,
then another crash. More details:

Cannot access memory at address 0x5
==== stderr.log
pcap bufsize = 32768
listening on bge1
1305661424.619015 run-time error: string without NUL terminator:
"\xff\xff*^Hbc0975.0\xc0^L\0^A\0^A\0\0^D\xb0\0^D^J^D^D.^Hbc097531\xc0^L\0^A\0^A\0\0^D\xb0\0^D\xac^Q(\xa7^Hbc097532.\xff\xff*^Hbc0975.0\xc0^L\0^A\0^A\0\0^D\xb0\0^D^J^D^D.^Hbc097531\xc0^L\0^A\0^A\0\0^D\xb0\0^D\xac^Q(\xa7^Hbc097532"
1305707636.214027 run-time error: string without NUL terminator:
"hosta^Ecompany^Corg\0\xc0^L\0!\0^A\0\0^Bx\0\x1c\0\0\0d^A\x85^J04c2nvrs-a^Ecompa"
1305707636.259675 run-time error: string without NUL terminator:
"hosta^Ecompany^Corg\0\xc0^L\0!\0^A\0\0^Bx\0\x1c\0\0\0d^A\x85^J04c2nvrs-a^Ecompa"
1305734703.016096 run-time error: string with embedded NUL:
"oo^M\xc3\xca\0^A\0^A\0"
1305735623.373659 internal error: NB-DNS error in DNS_Mgr::Process
(ns_initparse(): Message too long)
/usr/local/bro/share/broctl/scripts/run-bro: line 73: 31891 Abort
trap: 6           (core dumped) nohup $tmpbro $@
==== stdout.log
==== .status
TERMINATED [internal_error]
==== No prof.log.
bro.core
Core was generated by `bro'.
Program terminated with signal 6, Aborted.
#0  0x286e8a27 in kill () from /lib/libc.so.7
#0  0x286e8a27 in kill () from /lib/libc.so.7
#1  0x286e8986 in raise () from /lib/libc.so.7
#2  0x286e756a in abort () from /lib/libc.so.7
#3  0x080517a4 in internal_error () at SSLInterpreter.cc:30
#4  0x080a1691 in DNS_Mgr::Process (this=0xbfbfe554) at DNS_Mgr.cc:1069
#5  0x08147285 in net_run () at Net.cc:528
#6  0x0804fbff in main (argc=) at main.cc:999

Followed by this crash when broctl tried to restart 5 minutes later.
So, do you still think this looks like a host configuration issue?
This is on a freebsd 7.3 host, fyi.

[bro]
Variable "this" is not available.
==== stderr.log
/usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
/usr/local/bro/share/broctl/scripts/run-bro: line 73: 55221 Abort
trap: 6           (core dumped) nohup $tmpbro $@
==== stdout.log
==== .status
TERMINATED [internal_error]
==== No prof.log.
bro.core
Core was generated by `bro'.
Program terminated with signal 6, Aborted.
#0  0x286e8a27 in kill () from /lib/libc.so.7
#0  0x286e8a27 in kill () from /lib/libc.so.7
#1  0x286e8986 in raise () from /lib/libc.so.7
#2  0x286e756a in abort () from /lib/libc.so.7
#3  0x080517a4 in internal_error () at SSLInterpreter.cc:30
#4  0x080a199c in DNS_Mgr::Resolve (this=) at DNS_Mgr.cc:580
#5  0x080a1dbd in DNS_Mgr::LookupHost (this=0x82dc800, name=0x85a3939
"test-scooter.av.pa-x.dec.com") at DNS_Mgr.cc:468
#6  0x080682b7 in brolex () at scan.l:324
#7  0x08053bbc in yyparse () at p.c:2260
#8  0x0804ee16 in main (argc=17, argv=0xbfbfeb5c) at main.cc:749

Thanks,

Will

> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>

More information about the bro-dev mailing list