[Bro] New installation crashes appear to be ssh-related
Llewellyn, Ted
Ted.Llewellyn at ftr.com
Tue Mar 31 05:57:02 PDT 2015
Vlad,
It crashed again this morning. The crash on 3/29 was at 6:29 local time, and the crash this morning was at 6:27 local time. I’m not aware of anything that happens here around that time on a regular basis.
The diag looks pretty much the same:
[BroControl] > diag
[bro]
Bro 2.3-633
Linux 3.2.0-4-686-pae
No gdb installed.
==== No reporter.log
==== stderr.log
listening on eth1, capture length 8192 bytes
bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 24675 Aborted (core dumped) nohup "$mybro" "$@"
==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
==== .cmdline
-i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=
==== .status
RUNNING [net_run]
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
[BroControl] >
Here is the ssh.log, with the local addresses obfuscated:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#open 2015-03-31-06-12-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port count bool enum string string string string string string string string string string string double double
1427796767.723015 CekWob4QEqOlP0oqp8 115.239.230.133 57922 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796768.761095 Ctm96W1UH7UUMJkEhk 115.239.230.133 42380 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796773.022767 CBJCTy0vfPn8efye4 115.239.230.133 45326 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796998.016420 CPC3hO10j08ML06CRj 115.231.218.130 56223 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss - - - - - -
1427796998.641613 CMUo9V3XqIY3J45Arl 115.231.218.130 51297 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797000.236567 C4F5Ca2TZOVL55re0i 115.231.218.130 60792 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797056.937244 CeElA5RdppTwHbR6b 183.136.216.4 34758 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797056.134247 CDKUcz2vwqwCQ6FMP 183.136.216.4 57005 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797314.991566 CPkA7E3jOaA4O3n6Zj 115.239.248.238 46652 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797315.312565 CF4kqy4fSKVNiRwHKa 115.239.248.238 34778 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797316.044014 CfKqmt3d5HTfWS7xyc 115.239.248.238 50058 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797665.315966 CUdfQY3IPL1xx4UtY7 115.231.218.131 57464 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
I can only get the core files down to about 15 meg, so they won’t attach to the ticket. Should I try sending it directly to your gmail account, so the whole list doesn’t get it?
Ted
From: grigorescu at gmail.com [mailto:grigorescu at gmail.com] On Behalf Of Vlad Grigorescu
Sent: Monday, March 30, 2015 11:06 AM
To: Llewellyn, Ted
Cc: bro at bro.org
Subject: Re: [Bro] New installation crashes appear to be ssh-related
Also, do you happen to have a core dump of this? It would help with debugging.
To answer your question about BinPAC - BinPAC is a Binary Protocol Analyzer Compiler. Some analyzers in Bro are written in a language that BinPAC will compile to C++. When you compile Bro, this compilation happens, and then that C++ code gets compiled with the rest of Bro. So, it's not really a plugin - you could technically build Bro without BinPAC, but in practice, you wouldn't want to do that.
Hope that makes sense,
--Vlad
On Mon, Mar 30, 2015 at 9:39 AM, Robin Sommer <robin at icir.org<mailto:robin at icir.org>> wrote:
Ted, mind filing a ticket so that we track this one?
Robin
On Sun, Mar 29, 2015 at 15:12 +0000, you wrote:
> We have a new Bro installation, built from source on Debian wheezy, that keeps core dumping. It looks like it's choking on some code related to ssh. Here is the diag for the latest crash. It is identical to the other one I have:
>
> [BroControl] > diag
> [bro]
>
> Bro 2.3-633
> Linux 3.2.0-4-686-pae
>
> No gdb installed.
>
> ==== No reporter.log
>
> ==== stderr.log
> listening on eth1, capture length 8192 bytes
>
> bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
> /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@"
>
> ==== stdout.log
> max memory size (kbytes, -m) unlimited
> data seg size (kbytes, -d) unlimited
> virtual memory (kbytes, -v) unlimited
> core file size (blocks, -c) unlimited
>
> ==== .cmdline
> -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
>
> ==== .env_vars
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> CLUSTER_NODE=
>
> ==== .status
> RUNNING [net_run]
>
> ==== No prof.log
>
> ==== No packet_filter.log
>
> ==== No loaded_scripts.log
> [BroControl] >
>
> This is just running the default setup, with the local subnets configured, as we are just starting with Bro. This is a really low end server, but the capture interface is only running at 100 meg so there are really no resource issues. (Yes, this is a 32-bit box. It's pretty old. That's why I built from source.)
> The first crash occurred after a few minutes. Then it ran for nearly 24 hours before this crash. Is there something I can tweak to prevent this?
>
> Thanks,
> Ted Llewellyn
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Robin Sommer * ICSI/LBNL * robin at icir.org<mailto:robin at icir.org> * www.icir.org/robin<http://www.icir.org/robin>
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150331/69898ebe/attachment-0001.html
More information about the Bro
mailing list