[Bro] New installation crashes appear to be ssh-related

Llewellyn, Ted Ted.Llewellyn at ftr.com
Mon Mar 30 08:59:10 PDT 2015 

Yes, I have core dumps. Is there an upload site? I’m concerned about information leakage, also. This is a lab environment, but I still don’t want too much information about it being distributed in public forums.

Ted Llewellyn
Sr. Network Planning Engineer
VoIP Engineering
Frontier Communications
120 Plymouth Ave. N.
Rochester, NY 14608
585-413-9743


From: grigorescu at gmail.com [mailto:grigorescu at gmail.com] On Behalf Of Vlad Grigorescu
Sent: Monday, March 30, 2015 11:06 AM
To: Llewellyn, Ted
Cc: bro at bro.org
Subject: Re: [Bro] New installation crashes appear to be ssh-related

Also, do you happen to have a core dump of this? It would help with debugging.

To answer your question about BinPAC - BinPAC is a Binary Protocol Analyzer Compiler. Some analyzers in Bro are written in a language that BinPAC will compile to C++. When you compile Bro, this compilation happens, and then that C++ code gets compiled with the rest of Bro. So, it's not really a plugin - you could technically build Bro without BinPAC, but in practice, you wouldn't want to do that.

Hope that makes sense,

  --Vlad

On Mon, Mar 30, 2015 at 9:39 AM, Robin Sommer <robin at icir.org<mailto:robin at icir.org>> wrote:
Ted, mind filing a ticket so that we track this one?

Robin

On Sun, Mar 29, 2015 at 15:12 +0000, you wrote:

> We have a new Bro installation, built from source on Debian  wheezy, that keeps core dumping. It looks like it's choking on some code related to ssh. Here is the diag for the latest crash. It is identical to the other one I have:
>
> [BroControl] > diag
> [bro]
>
> Bro 2.3-633
> Linux 3.2.0-4-686-pae
>
> No gdb installed.
>
> ==== No reporter.log
>
> ==== stderr.log
> listening on eth1, capture length 8192 bytes
>
> bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
> /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted                 (core dumped) nohup "$mybro" "$@"
>
> ==== stdout.log
> max memory size         (kbytes, -m) unlimited
> data seg size           (kbytes, -d) unlimited
> virtual memory          (kbytes, -v) unlimited
> core file size          (blocks, -c) unlimited
>
> ==== .cmdline
> -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
>
> ==== .env_vars
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> CLUSTER_NODE=
>
> ==== .status
> RUNNING [net_run]
>
> ==== No prof.log
>
> ==== No packet_filter.log
>
> ==== No loaded_scripts.log
> [BroControl] >
>
> This is just running the default setup, with the local subnets configured, as we are just starting with Bro. This is a really low end server, but the capture interface is only running at 100 meg so there are really no resource issues. (Yes, this is a 32-bit box. It's pretty old. That's why I built from source.)
> The first crash occurred after a few minutes. Then it ran for nearly 24 hours before this crash. Is there something I can tweak to prevent this?
>
> Thanks,
> Ted Llewellyn
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


--
Robin Sommer * ICSI/LBNL * robin at icir.org<mailto:robin at icir.org> * www.icir.org/robin<http://www.icir.org/robin>
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/73e17245/attachment-0001.html

More information about the Bro mailing list