bro dies (every day)
scott campbell
scampbell at lbl.gov
Fri Aug 22 08:05:15 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anton Chuvakin, Ph.D. wrote:
| Vern and all,
|
| I reported bro dieing here before, but now (with 0.34) it happens EVERY
| DAY. I suspect the ongoing ICMP "rain" is to blame as well, since I don't
| think it was happening that often before that. As usual, there are no
| messages in the logs and no core file (ulimit is set).
|
| I would appreciate any hints for finding out what happens. I can send my
| policy file over, if needed.
|
| Best,
I experienced the same problem and tracked down a possible source of the
problem.
I took a quick look at the icmp code, and did a little testing. During
this I noticed the following: when *any* tracefile with icmp in it is
run through bro, there will be an exception at close time (ie after
net_done() is called).
On a trace file of ~500 icmp packets (and only icmp), the following data
was provided from the exec trace file:
0.000000 <no location>:0 event called: bro_init()
1060118249.065749 <no location>:0 event called: net_done(t =
'1060118249.06575')
1060118249.065749 <no location>:0 event called:
connection_state_remove(c = '[orig_h=128.55.128.84, resp_h=128.3.11.35,
itype=8, icode=0]')
In the info (ie stderr) file the following can be found:
1060118249.065749 <no location> (128.3.11.35): bad tag in Val::CONVERTER
which seems to correlate with the last event logged. Regular logged
data seems to indicate that only the last icmp packet seems to tickle
this bug.
When a single pair of icmp ping request-response are run through, the
same problem presents itself, with the 'connection_state_remove' call
getting the orig_h and resp_h IPs *backwards* with respect to the icmp
flow object defined when icmp.bro is loaded.
Loading the icmp.bro module seems not to effect this problem, although I
am seeing strange behavior with regard to some packet payload analysis
that is going on (modified icmp.bro).
If anyone has a good idea as to the location of the problem, I would be
most happy in working with them in resolving this issue. Recently a
modified sk rootkit with an icmp backdoor was discovered at another lab,
so keeping an eye on this protocol has just been rased in priority.
thanks!
scott campbell
- -----
Scott Campbell
NERSC Network Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/RjErK2Plq8B7ZBwRAk/JAKChL6AYcImWlqZHWdu0knkcfiJ7kACg2BdD
Qu3KPC55tMcP5VWC7j9hbLg=
=EfOJ
-----END PGP SIGNATURE-----
More information about the Bro
mailing list