[Bro] New installation crashes appear to be ssh-related

Vlad Grigorescu vlad at grigorescu.org
Mon Mar 30 08:05:54 PDT 2015 

Also, do you happen to have a core dump of this? It would help with
debugging.

To answer your question about BinPAC - BinPAC is a Binary Protocol Analyzer
Compiler. Some analyzers in Bro are written in a language that BinPAC will
compile to C++. When you compile Bro, this compilation happens, and then
that C++ code gets compiled with the rest of Bro. So, it's not really a
plugin - you could technically build Bro without BinPAC, but in practice,
you wouldn't want to do that.

Hope that makes sense,

  --Vlad

On Mon, Mar 30, 2015 at 9:39 AM, Robin Sommer <robin at icir.org> wrote:

> Ted, mind filing a ticket so that we track this one?
>
> Robin
>
> On Sun, Mar 29, 2015 at 15:12 +0000, you wrote:
>
> > We have a new Bro installation, built from source on Debian  wheezy,
> that keeps core dumping. It looks like it's choking on some code related to
> ssh. Here is the diag for the latest crash. It is identical to the other
> one I have:
> >
> > [BroControl] > diag
> > [bro]
> >
> > Bro 2.3-633
> > Linux 3.2.0-4-686-pae
> >
> > No gdb installed.
> >
> > ==== No reporter.log
> >
> > ==== stderr.log
> > listening on eth1, capture length 8192 bytes
> >
> > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int
> binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr,
> binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion
> `t_dataptr_after_cookie <= t_end_of_data' failed.
> > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted
>              (core dumped) nohup "$mybro" "$@"
> >
> > ==== stdout.log
> > max memory size         (kbytes, -m) unlimited
> > data seg size           (kbytes, -d) unlimited
> > virtual memory          (kbytes, -v) unlimited
> > core file size          (blocks, -c) unlimited
> >
> > ==== .cmdline
> > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p
> bro local.bro broctl broctl/standalone broctl/auto
> >
> > ==== .env_vars
> >
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> >
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> > CLUSTER_NODE=
> >
> > ==== .status
> > RUNNING [net_run]
> >
> > ==== No prof.log
> >
> > ==== No packet_filter.log
> >
> > ==== No loaded_scripts.log
> > [BroControl] >
> >
> > This is just running the default setup, with the local subnets
> configured, as we are just starting with Bro. This is a really low end
> server, but the capture interface is only running at 100 meg so there are
> really no resource issues. (Yes, this is a 32-bit box. It's pretty old.
> That's why I built from source.)
> > The first crash occurred after a few minutes. Then it ran for nearly 24
> hours before this crash. Is there something I can tweak to prevent this?
> >
> > Thanks,
> > Ted Llewellyn
> >
> >
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/ba999835/attachment.html

More information about the Bro mailing list