[Bro] crash with std::bad_alloc
Peter Wurzinger
pw at seclab.tuwien.ac.at
Wed Nov 5 09:22:44 PST 2008
Hi!
I am running my own bro policy script (bro 1.4, debian lenny), together
with a set of signatures that should be matched. After a few hours of
runtime bro always and repeatably crashes, with the following error message:
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
Bit by bit I stripped parts from my script in order to find the critical
part, and I ended up with a script as trivial as:
@load conn
@load notice
@load notice-action-filters
redef use_connection_compressor = F;
redef capture_filters = {["ALL"] = ""};
redef dpd_match_only_beginning = F;
redef local_nets[...];
redef signature_files += "./my_signatures.sig";
The critical part seems to be the signature matching. When including my
signatures, the error occurs. When outcommenting the last redef line, it
works without crashing (at least for a much longer time until I
terminate it deliberately, I cannot be totally sure that it hadn't
crashed later). Note, that I don't even handle the signature
matches anymore, still the error occurs. My signature file is approx
100Kb, contains more than 600 signatures, and all of them look like:
signature xxx {
dst-ip == local_nets
event "xxx"
payload /xxx/
}
I'd be very happy about learning what exactly causes the error, and of
course how to avoid it.
Regards,
Peter.
More information about the Bro
mailing list