bro dies (every day)

scott campbell scampbell at lbl.gov
Fri Aug 22 08:05:15 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anton Chuvakin, Ph.D. wrote:
| Vern and all,
|
| I reported bro dieing here before, but now (with 0.34) it happens EVERY
| DAY. I suspect the ongoing ICMP "rain" is to blame as well, since I don't
| think it was happening that often before that. As usual, there are no
| messages in the logs and no core file (ulimit is set).
|
| I would appreciate any hints for finding out what happens. I can send my
| policy file over, if needed.
|
| Best,
I experienced the same problem and tracked down a possible source of the
problem.

I took a quick look at the icmp code, and did a little testing.  During
this I noticed the following:  when *any* tracefile with icmp in it is
run through bro, there will be an exception at close time (ie after
net_done() is called).

On a trace file of ~500 icmp packets (and only icmp), the following data
was provided from the exec trace file:

0.000000 <no location>:0        event called: bro_init()

1060118249.065749 <no location>:0       event called: net_done(t =
'1060118249.06575')

1060118249.065749 <no location>:0       event called:
connection_state_remove(c = '[orig_h=128.55.128.84, resp_h=128.3.11.35,
itype=8, icode=0]')

In the info (ie stderr) file the following can be found:

1060118249.065749 <no location> (128.3.11.35): bad tag in Val::CONVERTER

which seems to correlate with the last event logged.  Regular logged
data seems to indicate that only the last icmp packet seems to tickle
this bug.

When a single pair of icmp ping request-response are run through, the
same problem presents itself, with the 'connection_state_remove' call
getting the orig_h and resp_h IPs *backwards* with respect to the icmp
flow object defined when icmp.bro is loaded.

Loading the icmp.bro module seems not to effect this problem, although I
am seeing strange behavior with regard to some packet payload analysis
that is going on (modified icmp.bro).

If anyone has a good idea as to the location of the problem, I would be
most happy in working with them in resolving this issue.  Recently a
modified sk rootkit with an icmp backdoor was discovered at another lab,
so keeping an eye on this protocol has just been rased in priority.

thanks!

scott campbell

- -----
Scott Campbell
NERSC Network Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/RjErK2Plq8B7ZBwRAk/JAKChL6AYcImWlqZHWdu0knkcfiJ7kACg2BdD
Qu3KPC55tMcP5VWC7j9hbLg=
=EfOJ
-----END PGP SIGNATURE-----

More information about the Bro mailing list