[Bro] SMB2 module

Danilo Nicolò dani.nicolo at gmail.com
Wed Mar 25 10:08:48 PDT 2015 

Hi Seth,

I've tested much Bro and in many cases it crashes with SIGSEV or SIGBUS
(with BRO_DNS_FAKE=1).
The problem is always in ssh/interesting-hostnames.bro in the when
condition.. so I modified this script: before trying to remove the when
condition and Bro didn't crash, later trying to remove lookup_addr function
keeping the when condition and Bro crashed.

Below you can see a snippet of the modified script with when condition

                local hostname : string;

when ( hostname == "10.1.2.3" )

{

if ( interesting_hostnames in hostname )

{

NOTICE([$note=Interesting_Hostname_Login,

        $msg=fmt("Possible SSH login involving a %s %s with an interesting
hostname.",

                 Site::is_local_addr(host) ? "local" : "remote",

                 host == c$id$orig_h ? "client" : "server"),

        $sub=hostname, $conn=c]);

}

}

hostname = "10.1.2.3";

The gdb log is :

Starting program: /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p
broctl-live -p standalone -p local -p bro local.bro
/usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
listening on eth0, capture length 8192 bytes

[New Thread 0x7ffff5a9a700 (LWP 6916)]
WARNING: No Site::local_nets have been defined.  It's usually a good idea
to define your local networks.
[New Thread 0x7ffff5299700 (LWP 6917)]
[New Thread 0x7ffff4a98700 (LWP 6918)]
[New Thread 0x7ffff4297700 (LWP 6919)]
[New Thread 0x7ffff3a96700 (LWP 6920)]
[New Thread 0x7ffff3295700 (LWP 6921)]
1427301195.578365 error in
/usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro, line 30: Bro
was not configured for GeoIP support (lookup_location(SSH::lookup_ip))

Program received signal SIGSEGV, Segmentation fault.
0x00000000007423e2 in Serializer::Write (this=0x7fffffffd860, v=true,
tag=0xb7a563 "full") at /home/danko/bro/src/Serializer.h:62
62 DECLARE_IO(bool)
(gdb) up 81400
#81400 0x0000000000851a58 in MutableVal::DoSerialize (this=0x44a79e0,
info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:656
656 DO_SERIALIZE(SER_MUTABLE_VAL, Val);
(gdb) up
#81401 0x000000000085a732 in RecordVal::DoSerialize (this=0x44a79e0,
info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:2813
2813 DO_SERIALIZE(SER_RECORD_VAL, MutableVal);
(gdb) up
#81402 0x000000000081587b in SerialObj::Serialize (this=0x44a79e0,
info=0x7fffffffd8c0) at /home/danko/bro/src/SerialObj.cc:121
121 bool ret = DoSerialize(info);
(gdb) up
#81403 0x000000000084fdcb in Val::Serialize (this=0x44a79e0,
info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:100
100 return SerialObj::Serialize(info);
(gdb) up
#81404 0x000000000084fc7d in Val::Clone (this=0x44a79e0) at
/home/danko/bro/src/Val.cc:83
83 if ( ! this->Serialize(&sinfo) )
(gdb) up
#81405 0x00000000007a2fb3 in Frame::Clone (this=0x4482bd0) at
/home/danko/bro/src/Frame.cc:78
78 f->frame[i] = frame[i] ? frame[i]->Clone() : 0;
(gdb) up
#81406 0x000000000083ee4c in Trigger::Trigger (this=0x18031e0,
arg_cond=0x35ab080, arg_body=0x35ab020, arg_timeout_stmts=0x0,
arg_timeout=0x0, arg_frame=0x4482bd0, arg_is_return=false,
arg_location=0x35b94c0)
    at /home/danko/bro/src/Trigger.cc:108
108 frame = arg_frame->Clone();
(gdb) up
#81407 0x000000000083b302 in WhenStmt::Exec (this=0x35b18e0, f=0x4482bd0,
flow=@0x7fffffffdbe0: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:2166
2166 new Trigger(cond, s1, s2, timeout, f, is_return, location);
(gdb) p *this.location
$1 = {<SerialObj> = {_vptr.SerialObj = 0xb71e30 <vtable for Location+16>,
static NEVER = 0, static ALWAYS = 1, static factories = 0x1786000, static
names = 0x1786060, static time_counter = 19515, serial_type = 0},
  filename = 0x3586500
"/usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro",
first_line = 36, last_line = 46, first_column = 0, last_column = 0,
delete_data = false, timestamp = 0, text = 0x0,
  static register_type = {<No data fields>}, tid = {id = 417376, static
counter = 455184}}
(gdb)

I've tried to search anything problem about the when condition like this
but I haven't found nothing similar issues.
Have you ever had this kind of problem?

I hope I was helpful.

Best regards,

Danilo



2015-03-23 14:21 GMT+01:00 Seth Hall <seth at icir.org>:

>
> > On Mar 23, 2015, at 6:07 AM, Danilo Nicolò <dani.nicolo at gmail.com>
> wrote:
> >
> > I'm little confused about the different behavior: if I set
> BRO_DNS_FAKE=1, Will dns logs be altered significantly?
>
> No, BRO_DNS_FAKE only changes active DNS lookups.  When Bro itself goes
> out to lookup a name in DNS it will return junk information.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/b1601b34/attachment.html

More information about the Bro mailing list