[Bro] Core dump on a new Bro Cluster

Powell, Scott powellsm at musc.edu
Tue Jan 26 13:24:32 PST 2010 

Bro Community,

We have begun looking at the Bro NIDS here at MUSC so I have been working on setting up a cluster on some new security infrastructure equipment. We're running on RedHat Enterprise Linux 5.4, 64-bit with Bro 1.5.1 (latest current release on the bro-ids.org download page).

I compiled and setup the cluster and then started it up with "broctl start". My workers fired up and began collecting data from our network TAP. However, the worker with the TAP (worker-4) continues to "crash" repeatedly. If I issue a "broctl diag" it reveals a core dump.

I ran a gdb on the core file that was produced and got the same results as the diag output below.

Any ideas?

[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started
worker-4   worker     zoyd4      crashed
manager    manager    bombe4     running       3693   4      26 Jan 15:35:54
proxy-1    proxy      bombe4     running       3729   4      26 Jan 15:35:57
worker-1   worker     sigma4     running       10799  2      26 Jan 15:35:59
worker-2   worker     forensics4 running       21174  2      26 Jan 15:35:59
worker-3   worker     reaper4    running       8954   2      26 Jan 15:35:59
[BroControl] > diag worker-4
[worker-4]
==== stderr.log
pcap bufsize = 8256
listening on eth1
/var/local/bro/share/broctl/scripts/run-bro: line 73:  2837 Segmentation fault      (core dumped) nohup $tmpbro $@
==== stdout.log

==== .status
RUNNING [net_run]

==== No prof.log.

core.2837
Core was generated by `/var/local/bro/spool/tmp/bro -i eth1 -U .status -p broctl -p cluster -p local -'.
Program terminated with signal 11, Segmentation fault.
[New process 2837]
#0  FragReassembler::DeleteTimer (this=0x23219450) at Frag.h:62
62          void ClearReassembler() { f = 0; }

Thanks,

Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm at musc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100126/0c1974dd/attachment.html

More information about the Bro mailing list