Segmentation fault with RuleMatcher
Yohann Thomas
yohann.thomas at rd.francetelecom.com
Tue May 4 02:24:42 PDT 2004
Hi everybody !!!
As I explained in a previous mail, I'd like to log information using
Bro, in particular http payloads for each connection seen on a network.
I was looking for another way than signatures to manage this. Thanks for
your answers, but finally, I think signatures is not a so bad way to
handle this, since it can be easily extended to other protocols by just
changing port numbers in the rules and also because I can format output
the way I want in a Bro script.
So, let's see the new problem... :-(
At the moment, I use these signatures :
signature http-request {
ip-proto == tcp
dst-port == 80
payload /.*/
event "http-request"
}
signature http-reply {
ip-proto == tcp
src-port == 80
payload /.*/
event "http-reply"
tcp-state responder
}
signature http-effective-request {
ip-proto == tcp
dst-port == 80
payload /.*/
event "http-effective-request"
requires-reverse-signature http-reply
}
In fact, I can get events for http-request, http-reply, and
http-effective-request (which means Bro has effectively matched a
(request, reply) couple).
Then, here is the way I manage the data in a Bro script :
event signature_match(state: signature_state, msg: string, data: string)
{
if (msg == "http-request")
{
current_session$req$payload = data;
}
if (msg == "http-reply")
{
current_session$rep$payload = data;
}
if (msg == "http-effective-request")
{
current_session$startTime = state$conn$start_time;
current_session$IP_clt = state$conn$id$orig_h;
current_session$IP_srv = state$conn$id$resp_h;
log_info(current_session);
}
}
where log_info is a function I defined to log info ;-) contained in the
current_session record.
Moreover, I load http-reply (so http and http-request are also loaded)
and signatures modules in this script.
Now the results :
On my computer, it works perfectly, but I'm the only one generating http
traffic... ;-)
But when I launch this on a real probe, I get a "Segmentation Fault"
after a random time.
I dumped a core, to locate the problem, and it seems to crash in
RuleMatcher::ExecRule.
So, my question : What's the problem ??? (I know there are better
questions, but... ;-) )
Can it be due to an excessive traffic ???
Other information :
- Traffic : about 5000 packets/s
- HTTP traffic only : about 500 packets/s (I use a tcpdump filter to
limit to this kind of traffic)
- top command gives me : %CPU = max about 15% and %MEM = max about 3%
Thanks by advance,
Yohann.
More information about the Bro
mailing list