[Bro] New installation crashes appear to be ssh-related

Llewellyn, Ted Ted.Llewellyn at ftr.com
Mon Mar 30 05:23:16 PDT 2015 

Vlad,

I happened to run across HILTI while I was looking at something not related to Bro. My output seems to come from binpac, and according to the HILTI folks they develop on 64-bit platforms and promise nothing if it’s run on 32-bit hardware. I thought binpac was just supposed to be a plugin, which says to me it can be turned off or I could rebuild without it, if I could find out how. “./configure –help” wasn’t very helpful about this. Does this sound plausible?

Thanks,
Ted


From: grigorescu at gmail.com [mailto:grigorescu at gmail.com] On Behalf Of Vlad Grigorescu
Sent: Sunday, March 29, 2015 9:31 PM
To: Llewellyn, Ted
Cc: bro at bro.org
Subject: Re: [Bro] New installation crashes appear to be ssh-related

Hi Ted,

Thanks for reporting this. I'll look into it.

  --Vlad

On Sun, Mar 29, 2015 at 10:12 AM, Llewellyn, Ted <Ted.Llewellyn at ftr.com<mailto:Ted.Llewellyn at ftr.com>> wrote:
We have a new Bro installation, built from source on Debian  wheezy, that keeps core dumping. It looks like it’s choking on some code related to ssh. Here is the diag for the latest crash. It is identical to the other one I have:

[BroControl] > diag
[bro]

Bro 2.3-633
Linux 3.2.0-4-686-pae

No gdb installed.

==== No reporter.log

==== stderr.log
listening on eth1, capture length 8192 bytes

bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted                 (core dumped) nohup "$mybro" "$@"

==== stdout.log
max memory size         (kbytes, -m) unlimited
data seg size           (kbytes, -d) unlimited
virtual memory          (kbytes, -v) unlimited
core file size          (blocks, -c) unlimited

==== .cmdline
-i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=

==== .status
RUNNING [net_run]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[BroControl] >

This is just running the default setup, with the local subnets configured, as we are just starting with Bro. This is a really low end server, but the capture interface is only running at 100 meg so there are really no resource issues. (Yes, this is a 32-bit box. It’s pretty old. That’s why I built from source.)
The first crash occurred after a few minutes. Then it ran for nearly 24 hours before this crash. Is there something I can tweak to prevent this?

Thanks,
Ted Llewellyn



_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/d649d641/attachment-0001.html

More information about the Bro mailing list