Segmentation fault with RuleMatcher

Yohann Thomas yohann.thomas at rd.francetelecom.com
Tue May 4 02:24:42 PDT 2004 

Hi everybody !!!

As I explained in a previous mail, I'd like to log information using 
Bro, in particular http payloads for each connection seen on a network.
I was looking for another way than signatures to manage this. Thanks for 
your answers, but finally, I think signatures is not a so bad way to 
handle this, since it can be easily extended to other protocols by just 
changing port numbers in the rules and also because I can format output 
the way I want in a Bro script.

So, let's see the new problem... :-(

At the moment, I use these signatures :

signature http-request {
    ip-proto == tcp
    dst-port == 80
    payload /.*/
    event "http-request"
}

signature http-reply {
    ip-proto == tcp
    src-port == 80
    payload /.*/
    event "http-reply"
    tcp-state responder
}

signature http-effective-request {
    ip-proto == tcp
    dst-port == 80
    payload /.*/
    event "http-effective-request"
    requires-reverse-signature http-reply
}

In fact, I can get events for http-request, http-reply, and 
http-effective-request (which means Bro has effectively matched a 
(request, reply) couple).
Then, here is the way I manage the data in a Bro script :

event signature_match(state: signature_state, msg: string, data: string)
{
    if (msg == "http-request")
    {
        current_session$req$payload = data;
    }
    if (msg == "http-reply")
    {
        current_session$rep$payload = data;
    }
    if (msg == "http-effective-request")
    {
        current_session$startTime = state$conn$start_time;
        current_session$IP_clt = state$conn$id$orig_h;
        current_session$IP_srv = state$conn$id$resp_h;
        log_info(current_session);
    }
}

where log_info is a function I defined to log info ;-) contained in the 
current_session record.
Moreover, I load http-reply (so http and http-request are also loaded) 
and signatures modules in this script.

Now the results :

On my computer, it works perfectly, but I'm the only one generating http 
traffic... ;-)

But when I launch this on a real probe, I get a "Segmentation Fault" 
after a random time.
I dumped a core, to locate the problem, and it seems to crash in 
RuleMatcher::ExecRule.

So, my question : What's the problem ??? (I know there are better 
questions, but... ;-) )
                              Can it be due to an excessive traffic ???

Other information :
    - Traffic : about 5000 packets/s
    - HTTP traffic only : about 500 packets/s (I use a tcpdump filter to 
limit to this kind of traffic)
    - top command gives me : %CPU = max about 15% and %MEM = max about 3%


Thanks by advance,

Yohann.

More information about the Bro mailing list