[Bro] Rotate log time issue - bro seg fault

CS Lee geek00l at gmail.com
Mon Sep 17 21:29:45 PDT 2007 

Hi Scott,

Here's the last part of result in trace

1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:102 event
called: rotate_interval(f = 'file "weird.log" of string')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99
Builtin Function called: bro_is_terminating()
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99
Function return: T
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:71
function called: RotateLogs::rotate(f = 'file "weird.log" of s
tring')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:66
Builtin Function called: rotate_file(f = 'file "weird.
log" of string')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:66
Function return: [old_name=weird.log, new_name=weird.l
og.27507.1189307168.792985.tmp, open=1190089477.64701, close=
1189307168.79298]
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60
function called: RotateLogs::run_pp(info = '[old_name=
weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=
1190089477.64701, close=1189307168.79298]')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
function called: RotateLogs::build_name(info =
'[old_name=weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=
1190089477.64701, close=1189307168.79298]')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
Builtin Function called: strftime(fmt
= '%y-%m-%d_%H.%M.%S', d = '1190089477.64701')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
Function return: 07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
Builtin Function called: fmt(va_args =
'%s-%s', vararg0 = 'weird.log', vararg1 = '07-09-18_12.24.37')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
Function return: weird.log-07-09-18_12
.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41
Function return: weird.log-07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60
Builtin Function called: fmt(va_args = '/bin/m
v %s %s', vararg0 = 'weird.log.27507.1189307168.792985.tmp', vararg1 = '
weird.log-07-09-18_12.24.37')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60
Function return: /bin/mv weird.log.27507.11893
07168.792985.tmp weird.log-07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60
Builtin Function called: system(str = '/bin/mv
weird.log.27507.1189307168.792985.tmp weird.log-07-09-18_12.24.37')
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60
Function return: 0



On 9/18/07, scott campbell <scampbell at lbl.gov> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have seen a similar problem with InstallRotateTimer when bro is
> exiting (ie with bro.rc --checkpoint) on FreeBSD 6.2, but not at
> startup.  You might get a little better information if you start up the
> instance with the trace option (-t <file>) which will let you know
> exactly what the policy side is doing.
>
>
> scott
> CS Lee wrote:
> > Hi,
> >
> > We have installed bro 1.3.2(expect the edge ;]) on Ubuntu 7.04 without
> much
> > hassles, and we are currently practicing on writing the bro script, but
> > during the loading of brolite policy script, the bro crashed
> > with segmentation fault. It goes in this way -
> >
> > gdb bro
> > GNU gdb 6.6-debian
> > Copyright (C) 2006 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and you
> are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> > This GDB was configured as "i486-linux-gnu"...
> > Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
> >
> > (gdb) run -r ../fl0p-skype-sig.pcap brolite
> > Starting program: /usr/local/bin/bro -r ../fl0p-skype-sig.pcap brolite
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x086a67d7 in ?? ()
> > (gdb) backtrace
> > #0 0x086a67d7 in ?? ()
> > #1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at File.cc
> :562
> > #2 0x080de5f8 in BroFile::Open (this=0x8990480, file=0x891c218) at
> File.cc
> > :192
> > #3 0x080df663 in BroFile::Rotate (this=0x8990480) at File.cc:528
> > #4 0x080f8314 in bro_rotate_file (frame=0x88b1598, BiF_ARGS=0x8a5b5c8)
> at
> > bro.bif:2393
> > #5 0x080e8a4d in BuiltinFunc::Call (this=0x8362020, args=0x8a5b5c8,
> > parent=0x88b1598) at Func.cc:467
> > #6 0x080da56c in CallExpr::Eval (this=0x8a2b3f0, f=0x88b1598) at Expr.cc
> > :4501
> > #7 0x080c4a5f in AssignExpr::Eval (this=0x8a2b200, f=0x88b1598) at
> Expr.cc
> > :2562
> > #8 0x08179cdc in ExprStmt::Exec (this=0x8a2b590, f=0x88b1598,
> > flow=@0xbff49924) at Stmt.cc:395
> > #9 0x081756c9 in StmtList::Exec (this=0x8a2b020, f=0x88b1598,
> > flow=@0xbff49924) at Stmt.cc:1391
> > #10 0x080e8e24 in BroFunc::Call (this=0x8a2bc58, args=0x8a5c258,
> > parent=0x88aca08) at Func.cc:324
> > #11 0x080da56c in CallExpr::Eval (this=0x8a2f820, f=0x88aca08) at
> Expr.cc
> > :4501
> > #12 0x08179cdc in ExprStmt::Exec (this=0x8a2f880, f=0x88aca08,
> > flow=@0xbff49a74) at Stmt.cc:395
> > #13 0x081756c9 in StmtList::Exec (this=0x8a2f118, f=0x88aca08,
> > flow=@0xbff49a74) at Stmt.cc:1391
> > #14 0x080e8e24 in BroFunc::Call (this=0x8a2f8e0, args=0x828d698,
> parent=0x0)
> > at Func.cc:324
> > #15 0x080a8cf6 in EventHandler::Call (this=0x8a2f9b0, vl=0x828d698,
> > no_remote=true) at EventHandler.cc:64
> > #16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59
> > #17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017
> >
> > (gdb) frame 1
> > #2 0x080de4a7 in BroFile::InstallRotateTimer (this=0x837c5f8) at File.cc
> :562
> > 562 timer_mgr->Add(rotate_timer);
> > (gdb) frame 2
> > #3 0x080de5f8 in BroFile::Open (this=0x837c5f8, file=0x837c720) at
> File.cc
> > :192
> > 192 InstallRotateTimer();
> > (gdb) frame 3
> > #4 0x080df663 in BroFile::Rotate (this=0x837c5f8) at File.cc:528
> > 528 Open(newf);
> > (gdb) frame 4
> > #5 0x080f8314 in bro_rotate_file (frame=0x84e79e0, BiF_ARGS=0x84e5f10)
> at
> > bro.bif:2393
> > 2393 RecordVal* info = f->Rotate();
> >
> > This lead us to believe something wrong with the log rotation(time
> issue),
> > therefore we tried running bro with this
> >
> > bro -r fl0p-skype-sig.pcap tcp rotate-logs
> >
> > Immediately it crashes, and if we disable the log rotation in brolite,
> > everything goes fine. Looking at our pcap file metadata -
> >
> > capinfos fl0p-skype-sig.pcapFile
> > name: fl0p-skype-sig.pcap
> > File type: Wireshark/tcpdump/... - libpcap
> > Number of packets: 368874
> > File size: 75144608 bytes
> > Data size: 69242600 bytes
> > Capture duration: 3892.835282 seconds
> > Start time: Sun Sep 9 10:02:58 2007
> > End time: Sun Sep 9 11:07:51 2007
> > Data rate: 17787.19 bytes/s
> > Data rate: 142297.52 bits/s
> > Average packet size: 187.71 bytes
> >
> > So this pcap timeline span is around 1 hour, we tune the interval of the
> log
> > rotation and it may crash in different points and that seems to be the
> time
> > issue.
> >
> > Btw, we don't have such issue when using bro-1.2 on MacOSX, Gentoo and
> > bro-1.3.2 on FreeBSD 6.2.
> >
> > Thanks.
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG70w4K2Plq8B7ZBwRArP8AKCv3j3B6OdYUuvNKI5hsUGibSMv4wCeJ7e4
> SunJ7vjlH+urau1+KqPXUs8=
> =vfny
> -----END PGP SIGNATURE-----
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070918/20424dac/attachment.html

More information about the Bro mailing list