[Bro] Bro 1.4, bropipe and MacOS

Stephen Chan sychan at lbl.gov
Wed Jan 14 16:10:25 PST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


    I figured out what was wrong, and it was indeed obvious.

    When you don't specify a host, the call to bro_conn_new_str() on
line 198 sends a bogus string for the new bro connect handle, so that
fails. And I was misreading the usage message as indicating that I
needed to specify "host=127.0.0.1:47757",  which doesn't work.

    And if you specify the ip address, but not the port, that doesn't
work either. But if you specify everything explicitly with "bropipe
- -df - 127.0.0.1:47757" then it works.

    I'll see about patching in some appropriate default handling code
and submitting it.

    Steve


On 1/14/09 2:45 PM, Stephen Chan wrote:
> Hi,
>     Has anyone built and run bropipe under Bro 1.4 on MacOS 10.5.6?
>
>     Bro and broccoli built and installed happily, and bropipe also
> built cleanly (after requiring that libstdc++ be explicitly put in the
> linker files, what's up with that?)
>
>     But when I try to have bropipe connect to a local Bro instance, it
> fails to connect. In fact, it doesn't even seem to get to the point
> where it tries to open the tcp connection. Nothing shows up on a
> tcpdump (a telnet to the same port shows traffic getting through).
>
>     A system call trace of the program (run with "./bropipe -df -
> host=127.0.0.1")  gives this after the executable is pretty close to
> being done with loading libraries:
>
> open("/usr/local/bro/lib/libbroccoli.2.dylib\0", 0x0, 0x0)         = 3 0
> pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x0)         = 4096 0
> mmap(0x22000, 0x10000, 0x5, 0x12, 0x3, 0x100000000)         = 0x22000 0
> mmap(0x32000, 0x1000, 0x3, 0x12, 0x3, 0x100000000)         = 0x32000 0
> mmap(0x33000, 0x1000, 0x7, 0x12, 0x3, 0x100000000)         = 0x33000 0
> mmap(0x34000, 0xF950, 0x1, 0x12, 0x3, 0x100000000)         = 0x34000 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994)         = 0 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994)         = 0 0
> fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994)         = 0 0
> close(0x3)         = 0 0
> stat("/usr/lib/libstdc++.6.dylib\0", 0xBFFFD408,
> 0xFFFFFFFFBFFFB994)         = 0 0
> stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994)
>      = 0 0
> stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD408,
> 0xFFFFFFFFBFFFB994)         = 0 0
> stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFD2F8,
> 0xFFFFFFFFBFFFB994)         = 0 0
> stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFD2F8,
> 0xFFFFFFFFBFFFB994)     = 0 0
> stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFCF48,
> 0xFFFFFFFFBFFFB994) = 0 0
> open("/dev/dtracehelper\0", 0x2, 0xBFFFE444)         = 3 0
> ioctl(0x3, 0x80086804, 0xBFFFE3C8)         = 0 0
> close(0x3)         = 0 0
> __sysctl(0xBFFFE29C, 0x2, 0xBFFFE2A4)         = 0 0
> bsdthread_register(0x92F4EF30, 0x92F872A4, 0x1000)         = 0 0
> open_nocancel("/dev/urandom\0", 0x0, 0x0)         = 3 0
> read_nocancel(0x3, "=x\2006F\005\222\236y\0", 0x20)         = 32 0
> close_nocancel(0x3)         = 0 0
> mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000)         =
> 0x44000 0
> mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000)         =
> 0x47000 0
> munmap(0x47000, 0xB9000)         = 0 0
> munmap(0x200000, 0x47000)         = 0 0
> mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000)         =
> 0x47000 0
> getpid(0x0, 0x3000, 0x3)         = 5743 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
>
> [more selects ]
>
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
> could not connect to Bro at host=127.0.0.1:.
> Will try again in 5 seconds
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
> write_nocancel(0x2, "could not connect to Bro at
> host=127.0.0.1:.\n\0", 0x2D)     = 45 0
> write_nocancel(0x2, "Will try again in 5 seconds \n\0", 0x1D)
>  = 29 0
> select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468)         = 0 0
>
>
>     It looks like the call to bro_conn_connect() at bropipe.cc:212 is
> getting stalled somehow.
>
>     Has anyone else seen this? Is there something really obvious that
> I'm overlooking? Packet filters are ruled out, and nothing in the logs
> indicate that the system is seeing any activity. Basically the
> bro_conn_connect() call just seems to chase it's tail around for a bit
> and then return, without attempting a tcp connect.
>
>     Thanks,
>     Steve
>

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklufvEACgkQcVd2YI1BWAhMgQCfTDxqOlUpqmwVQ4kZo083lNA5
JBUAnjCt532/wyLGuoFOZpxi1Poy41K5
=1MyV
-----END PGP SIGNATURE-----

More information about the Bro mailing list