[Bro] setting a connection "service" in a signature
Stephane Chazelas
stephane.chazelas at gmail.com
Thu Aug 23 03:11:30 PDT 2012
2012-08-22 21:44:24 +0100, Stephane Chazelas:
[...]
> Here is a simple way. It just uses the "service" flag of a bro
> "connection" to mark the fact it is skype traffic.
[...]
Oh well, sorry, I spoke too soon. That makes bro crash in
#1 0x081d5ee8 in BroFunc::Call(ValPList*, Frame*) const ()
#2 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#3 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#4 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#5 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#6 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#7 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#8 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#9 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#10 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#11 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#12 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#14 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#15 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#16 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#17 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#18 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#19 0x0823288b in PktSrc::Process() ()
#20 0x082230a3 in net_run() ()
#21 0x0814423a in main ()
with frames above that varying:
$ for f (**/core(m-1)) gdb -core $f =bro --batch -ex bt
[New Thread 29511]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb777b430 in __kernel_vsyscall ()
#0 0xb777b430 in __kernel_vsyscall ()
#1 0xb72d2651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb72d5a82 in *__GI_abort () at abort.c:92
#3 0x08209367 in Reporter::InternalError(char const*, ...) ()
#4 0x0822bdb2 in bad_ref(int) ()
#5 0x081d6142 in BroFunc::Call(ValPList*, Frame*) const ()
#6 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#7 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#8 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#9 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#10 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#11 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#12 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#13 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#14 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#15 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#16 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#17 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#18 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#19 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#20 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#21 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#22 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#23 0x0823288b in PktSrc::Process() ()
#24 0x082230a3 in net_run() ()
#25 0x0814423a in main ()
[New Thread 10653]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 11, Segmentation fault.
#0 0x081d5ec3 in BroFunc::Call(ValPList*, Frame*) const ()
#0 0x081d5ec3 in BroFunc::Call(ValPList*, Frame*) const ()
#1 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#2 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#3 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#4 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#5 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#6 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#7 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#8 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#9 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#10 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#11 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#12 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#14 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#15 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#16 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#17 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#18 0x0823288b in PktSrc::Process() ()
#19 0x082230a3 in net_run() ()
#20 0x0814423a in main ()
[New Thread 21546]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 11, Segmentation fault.
#0 0xb73cc300 in tmpnam_buffer () from /lib/tls/i686/cmov/libc.so.6
#0 0xb73cc300 in tmpnam_buffer () from /lib/tls/i686/cmov/libc.so.6
#1 0x081d5ee8 in BroFunc::Call(ValPList*, Frame*) const ()
#2 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#3 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#4 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#5 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#6 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#7 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#8 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#9 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#10 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#11 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#12 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#14 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#15 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#16 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#17 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#18 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#19 0x0823288b in PktSrc::Process() ()
#20 0x082230a3 in net_run() ()
#21 0x0814423a in main ()
[New Thread 27005]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb7754430 in __kernel_vsyscall ()
#0 0xb7754430 in __kernel_vsyscall ()
#1 0xb72ab651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb72aea82 in *__GI_abort () at abort.c:92
#3 0xb72e206d in __libc_message (do_abort=2, fmt=0xb73b6f78 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0xb72ec161 in malloc_printerr (action=<value optimized out>, str=0x6 <Address 0x6 out of bounds>, ptr=0xa5f9e50) at malloc.c:6266
#5 0xb72ef2e0 in _int_malloc (av=<value optimized out>, bytes=<value optimized out>) at malloc.c:4308
#6 0xb72f0b6c in *__GI___libc_malloc (bytes=5) at malloc.c:3660
#7 0xb74ddc07 in operator new(unsigned int) () from /usr/lib/libstdc++.so.6
#8 0xb74ddd3d in operator new[](unsigned int) () from /usr/lib/libstdc++.so.6
#9 0x081f7437 in HashKey::CopyKey(void const*, int) const ()
#10 0x081f7496 in HashKey::TakeKey() ()
#11 0x0829ebf3 in TableVal::Assign(Val*, HashKey*, Val*, Opcode) ()
#12 0x0829f28e in TableVal::Assign(Val*, Val*, Opcode) ()
#13 0x081c1041 in IndexExpr::Add(Frame*) ()
#14 0x08273191 in AddStmt::Exec(Frame*, stmt_flow_type&) const ()
#15 0x08273d4f in StmtList::Exec(Frame*, stmt_flow_type&) const ()
#16 0x081d5f69 in BroFunc::Call(ValPList*, Frame*) const ()
#17 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#18 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#19 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#20 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#21 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#22 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#23 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#24 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#25 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#26 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#27 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#28 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#29 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#30 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#31 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#32 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#33 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#34 0x0823288b in PktSrc::Process() ()
#35 0x082230a3 in net_run() ()
#36 0x0814423a in main ()
[New Thread 28453]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb76e4430 in __kernel_vsyscall ()
#0 0xb76e4430 in __kernel_vsyscall ()
#1 0xb723b651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb723ea82 in *__GI_abort () at abort.c:92
#3 0x08209367 in Reporter::InternalError(char const*, ...) ()
#4 0x0822bdb2 in bad_ref(int) ()
#5 0x081d6142 in BroFunc::Call(ValPList*, Frame*) const ()
#6 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#7 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#8 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#9 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#10 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#11 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#12 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#13 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#14 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#15 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#16 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#17 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#18 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#19 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#20 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#21 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#22 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#23 0x0823288b in PktSrc::Process() ()
#24 0x082230a3 in net_run() ()
#25 0x0814423a in main ()
stderr.log had once:
*** glibc detected *** /usr/local/bin/bro: malloc(): smallbin double linked list corrupted: 0x0a5f9e50 ***
I suppose it doesn't like me adding a service in that context.
Anybody got a better idea on how to make it work?
(that's the bro 2.0 in securityonion)
--
Stephane
More information about the Bro
mailing list