[Bro] Rotate log time issue - bro seg fault

CS Lee geek00l at gmail.com
Mon Sep 17 20:05:18 PDT 2007 

Hi,

We have installed bro 1.3.2(expect the edge ;]) on Ubuntu 7.04 without much
hassles, and we are currently practicing on writing the bro script, but
during the loading of brolite policy script, the bro crashed
with segmentation fault. It goes in this way -

gdb bro
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run -r ../fl0p-skype-sig.pcap brolite
Starting program: /usr/local/bin/bro -r ../fl0p-skype-sig.pcap brolite

Program received signal SIGSEGV, Segmentation fault.
0x086a67d7 in ?? ()
(gdb) backtrace
#0 0x086a67d7 in ?? ()
#1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at File.cc:562
#2 0x080de5f8 in BroFile::Open (this=0x8990480, file=0x891c218) at File.cc
:192
#3 0x080df663 in BroFile::Rotate (this=0x8990480) at File.cc:528
#4 0x080f8314 in bro_rotate_file (frame=0x88b1598, BiF_ARGS=0x8a5b5c8) at
bro.bif:2393
#5 0x080e8a4d in BuiltinFunc::Call (this=0x8362020, args=0x8a5b5c8,
parent=0x88b1598) at Func.cc:467
#6 0x080da56c in CallExpr::Eval (this=0x8a2b3f0, f=0x88b1598) at Expr.cc
:4501
#7 0x080c4a5f in AssignExpr::Eval (this=0x8a2b200, f=0x88b1598) at Expr.cc
:2562
#8 0x08179cdc in ExprStmt::Exec (this=0x8a2b590, f=0x88b1598,
flow=@0xbff49924) at Stmt.cc:395
#9 0x081756c9 in StmtList::Exec (this=0x8a2b020, f=0x88b1598,
flow=@0xbff49924) at Stmt.cc:1391
#10 0x080e8e24 in BroFunc::Call (this=0x8a2bc58, args=0x8a5c258,
parent=0x88aca08) at Func.cc:324
#11 0x080da56c in CallExpr::Eval (this=0x8a2f820, f=0x88aca08) at Expr.cc
:4501
#12 0x08179cdc in ExprStmt::Exec (this=0x8a2f880, f=0x88aca08,
flow=@0xbff49a74) at Stmt.cc:395
#13 0x081756c9 in StmtList::Exec (this=0x8a2f118, f=0x88aca08,
flow=@0xbff49a74) at Stmt.cc:1391
#14 0x080e8e24 in BroFunc::Call (this=0x8a2f8e0, args=0x828d698, parent=0x0)
at Func.cc:324
#15 0x080a8cf6 in EventHandler::Call (this=0x8a2f9b0, vl=0x828d698,
no_remote=true) at EventHandler.cc:64
#16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59
#17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017

(gdb) frame 1
#2 0x080de4a7 in BroFile::InstallRotateTimer (this=0x837c5f8) at File.cc:562
562 timer_mgr->Add(rotate_timer);
(gdb) frame 2
#3 0x080de5f8 in BroFile::Open (this=0x837c5f8, file=0x837c720) at File.cc
:192
192 InstallRotateTimer();
(gdb) frame 3
#4 0x080df663 in BroFile::Rotate (this=0x837c5f8) at File.cc:528
528 Open(newf);
(gdb) frame 4
#5 0x080f8314 in bro_rotate_file (frame=0x84e79e0, BiF_ARGS=0x84e5f10) at
bro.bif:2393
2393 RecordVal* info = f->Rotate();

This lead us to believe something wrong with the log rotation(time issue),
therefore we tried running bro with this

bro -r fl0p-skype-sig.pcap tcp rotate-logs

Immediately it crashes, and if we disable the log rotation in brolite,
everything goes fine. Looking at our pcap file metadata -

capinfos fl0p-skype-sig.pcapFile
name: fl0p-skype-sig.pcap
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 368874
File size: 75144608 bytes
Data size: 69242600 bytes
Capture duration: 3892.835282 seconds
Start time: Sun Sep 9 10:02:58 2007
End time: Sun Sep 9 11:07:51 2007
Data rate: 17787.19 bytes/s
Data rate: 142297.52 bits/s
Average packet size: 187.71 bytes

So this pcap timeline span is around 1 hour, we tune the interval of the log
rotation and it may crash in different points and that seems to be the time
issue.

Btw, we don't have such issue when using bro-1.2 on MacOSX, Gentoo and
bro-1.3.2 on FreeBSD 6.2.

Thanks.




-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070918/b91becba/attachment.html

More information about the Bro mailing list