[Bro] Bro 1.4, bropipe and MacOS
Stephen Chan
sychan at lbl.gov
Wed Jan 14 16:10:25 PST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I figured out what was wrong, and it was indeed obvious.
When you don't specify a host, the call to bro_conn_new_str() on
line 198 sends a bogus string for the new bro connect handle, so that
fails. And I was misreading the usage message as indicating that I
needed to specify "host=127.0.0.1:47757", which doesn't work.
And if you specify the ip address, but not the port, that doesn't
work either. But if you specify everything explicitly with "bropipe
- -df - 127.0.0.1:47757" then it works.
I'll see about patching in some appropriate default handling code
and submitting it.
Steve
On 1/14/09 2:45 PM, Stephen Chan wrote:
> Hi,
> Has anyone built and run bropipe under Bro 1.4 on MacOS 10.5.6?
>
> Bro and broccoli built and installed happily, and bropipe also
> built cleanly (after requiring that libstdc++ be explicitly put in the
> linker files, what's up with that?)
>
> But when I try to have bropipe connect to a local Bro instance, it
> fails to connect. In fact, it doesn't even seem to get to the point
> where it tries to open the tcp connection. Nothing shows up on a
> tcpdump (a telnet to the same port shows traffic getting through).
>
> A system call trace of the program (run with "./bropipe -df -
> host=127.0.0.1") gives this after the executable is pretty close to
> being done with loading libraries:
>
> open("/usr/local/bro/lib/libbroccoli.2.dylib\0", 0x0, 0x0) = 3 0
> pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x0) = 4096 0
> mmap(0x22000, 0x10000, 0x5, 0x12, 0x3, 0x100000000) = 0x22000 0
> mmap(0x32000, 0x1000, 0x3, 0x12, 0x3, 0x100000000) = 0x32000 0
> mmap(0x33000, 0x1000, 0x7, 0x12, 0x3, 0x100000000) = 0x33000 0
> mmap(0x34000, 0xF950, 0x1, 0x12, 0x3, 0x100000000) = 0x34000 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
> close(0x3) = 0 0
> stat("/usr/lib/libstdc++.6.dylib\0", 0xBFFFD408,
> 0xFFFFFFFFBFFFB994) = 0 0
> stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994)
> = 0 0
> stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD408,
> 0xFFFFFFFFBFFFB994) = 0 0
> stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFD2F8,
> 0xFFFFFFFFBFFFB994) = 0 0
> stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFD2F8,
> 0xFFFFFFFFBFFFB994) = 0 0
> stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFCF48,
> 0xFFFFFFFFBFFFB994) = 0 0
> open("/dev/dtracehelper\0", 0x2, 0xBFFFE444) = 3 0
> ioctl(0x3, 0x80086804, 0xBFFFE3C8) = 0 0
> close(0x3) = 0 0
> __sysctl(0xBFFFE29C, 0x2, 0xBFFFE2A4) = 0 0
> bsdthread_register(0x92F4EF30, 0x92F872A4, 0x1000) = 0 0
> open_nocancel("/dev/urandom\0", 0x0, 0x0) = 3 0
> read_nocancel(0x3, "=x\2006F\005\222\236y\0", 0x20) = 32 0
> close_nocancel(0x3) = 0 0
> mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) =
> 0x44000 0
> mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000) =
> 0x47000 0
> munmap(0x47000, 0xB9000) = 0 0
> munmap(0x200000, 0x47000) = 0 0
> mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) =
> 0x47000 0
> getpid(0x0, 0x3000, 0x3) = 5743 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
>
> [more selects ]
>
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
> could not connect to Bro at host=127.0.0.1:.
> Will try again in 5 seconds
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
> write_nocancel(0x2, "could not connect to Bro at
> host=127.0.0.1:.\n\0", 0x2D) = 45 0
> write_nocancel(0x2, "Will try again in 5 seconds \n\0", 0x1D)
> = 29 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
>
>
> It looks like the call to bro_conn_connect() at bropipe.cc:212 is
> getting stalled somehow.
>
> Has anyone else seen this? Is there something really obvious that
> I'm overlooking? Packet filters are ruled out, and nothing in the logs
> indicate that the system is seeing any activity. Basically the
> bro_conn_connect() call just seems to chase it's tail around for a bit
> and then return, without attempting a tcp connect.
>
> Thanks,
> Steve
>
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAklufvEACgkQcVd2YI1BWAhMgQCfTDxqOlUpqmwVQ4kZo083lNA5
JBUAnjCt532/wyLGuoFOZpxi1Poy41K5
=1MyV
-----END PGP SIGNATURE-----
More information about the Bro
mailing list