[Bro] Assertion failure, Tag.cc
Michael Fry
michael.fry at morphick.com
Mon Jul 25 08:10:23 PDT 2016
Apologies for the delay. Below is the minimal script that will reproduce
the core dump. As described earlier, files.log shows the same FUID with
different connections multiple times. This causes the
file_extraction_limit() to be called multiple times for the same file.
Removing my event handler side-steps the core dump.
redef FileExtract::prefix = "/tmp/bro";
# Files of sizes outside this range will be discarded
global min_file_size: count = 1024;
global max_file_size: count = 5000000;
event bro_init()
{
mkdir(FileExtract::prefix);
}
event file_sniff(f: fa_file, meta: fa_metadata)
{
if (f$source != "HTTP")
return;
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_limit=max_file_size]);
Files::add_analyzer(f, Files::ANALYZER_MD5);
}
event file_state_remove(f: fa_file)
{
if (f$info?$extracted)
{
print(fmt("Deleting %s, size=%s", f$info$extracted,
f$seen_bytes));
system(fmt("rm \"/tmp/bro/%s\"",
str_shell_escape(f$info$extracted)));
}
}
event file_extraction_limit(f: fa_file , args: any , limit: count , len:
count)
{
print "file_extraction_limit():", f;
flush_all();
}
Here is an example that led to a crash. Note the same FUID is logged
multiple times with different connection UIDs.
root at redacted:/opt/cbts/log/bro/2016-06-28# zgrep FBzliCXoEipv0oEM8 *
files.2016-06-28-18-00-00.log.dz:1467138209.682287 FBzliCXoEipv0oEM8
13.107.4.50 10.100.162.133 CapHn31QDgLbeGCqIh HTTP 0
EXTRACT,SHA1,MD5 application/zip
Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle
0.010122 F F 22610 8811168 0 0 F -
02af20e0f97904b4c9da2c5a0071c324
b09760ed7e7f64e389eb709abf97cbbc395cd22a -
HTTP-FBzliCXoEipv0oEM8-Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle.file
files.2016-06-28-18-00-00.log.dz:1467138211.315952 FBzliCXoEipv0oEM8
13.107.4.50 10.100.162.133 CbGwtH2ajMS3nq8oR9 HTTP 0
MD5,SHA1,EXTRACT application/zip
Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle
0.007328 F F 13850 8811168 0 0 F -
7d8f20dc6941d42cb735bfbb1f5dee1d
dccb1e3e513ab377ee909823c538ba196140a6df -
HTTP-FBzliCXoEipv0oEM8-Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle.file
files.2016-06-28-18-00-00.log.dz:1467138211.234745 FBzliCXoEipv0oEM8
13.107.4.50 10.100.162.133 ClZAlx4VvTPCGXWnGf HTTP 0
SHA1,EXTRACT,MD5 application/zip
Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle
0.010127 F F 22610 8811168 0 0 F -
02af20e0f97904b4c9da2c5a0071c324
b09760ed7e7f64e389eb709abf97cbbc395cd22a -
HTTP-FBzliCXoEipv0oEM8-Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle.file
files.2016-06-28-18-00-00.log.dz:1467138211.395275 FBzliCXoEipv0oEM8
13.107.4.50 10.100.162.133 C1PiIFx6hRC32DES9 HTTP 0
SHA1,MD5,EXTRACT application/zip
Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle
0.008257 F F 16770 8811168 0 0 F -
c6c39cc6b8a6773a8b4b416a919cfca6
0ae53083b1fc02d7710e9c2b12ad930990e73c8e -
HTTP-FBzliCXoEipv0oEM8-Microsoft.Getstarted_3.11.1.0_neutral_~_8wekyb3d8bbwe.AppxBundle.file
http.2016-06-28-18-00-00.log.dz:1467138209.662449 CapHn31QDgLbeGCqIh
10.100.162.133 61074 13.107.4.50 80 2 GET
tlu.dl.delivery.mp.microsoft.com
/filestreamingservice/files/9f5dbc38-f074-45be-8346-ca45b940a576?P1=1467138990&P2=301&P3=2&P4=M61a7Qj+Xwl55JKMXfAzkJPsnDstij/KQXct1zwrcGI=
- Microsoft BITS/7.8 0 22610 200 OK -
-- (empty) - - - - - FBzliCXoEipv0oEM8
application/zip
http.2016-06-28-18-00-00.log.dz:1467138209.748598 CalgEr4pL03r1nZKql
10.100.162.133 61075 13.107.4.50 80 1 GET
tlu.dl.delivery.mp.microsoft.com
/filestreamingservice/files/9f5dbc38-f074-45be-8346-ca45b940a576?P1=1467138990&P2=301&P3=2&P4=M61a7Qj+Xwl55JKMXfAzkJPsnDstij/KQXct1zwrcGI=
- Microsoft BITS/7.8 0 94880 206 Partial
Content - - - (empty) - - - - -
FBzliCXoEipv0oEM8 -
http.2016-06-28-18-00-00.log.dz:1467138211.295292 CbGwtH2ajMS3nq8oR9
10.100.162.133 61077 13.107.4.50 80 1 GET
tlu.dl.delivery.mp.microsoft.com
/filestreamingservice/files/9f5dbc38-f074-45be-8346-ca45b940a576?P1=1467138990&P2=301&P3=2&P4=M61a7Qj+Xwl55JKMXfAzkJPsnDstij/KQXct1zwrcGI=
- Microsoft BITS/7.8 0 13850 200 OK -
-- (empty) - - - - - FBzliCXoEipv0oEM8
application/zip
http.2016-06-28-18-00-00.log.dz:1467138211.214133 ClZAlx4VvTPCGXWnGf
10.100.162.133 61076 13.107.4.50 80 1 GET
tlu.dl.delivery.mp.microsoft.com
/filestreamingservice/files/9f5dbc38-f074-45be-8346-ca45b940a576?P1=1467138990&P2=301&P3=2&P4=M61a7Qj+Xwl55JKMXfAzkJPsnDstij/KQXct1zwrcGI=
- Microsoft BITS/7.8 0 22610 200 OK -
-- (empty) - - - - - FBzliCXoEipv0oEM8
application/zip
http.2016-06-28-18-00-00.log.dz:1467138211.373513 C1PiIFx6hRC32DES9
10.100.162.133 61078 13.107.4.50 80 1 GET
tlu.dl.delivery.mp.microsoft.com
/filestreamingservice/files/9f5dbc38-f074-45be-8346-ca45b940a576?P1=1467138990&P2=301&P3=2&P4=M61a7Qj+Xwl55JKMXfAzkJPsnDstij/KQXct1zwrcGI=
- Microsoft BITS/7.8 0 16770 200 OK -
-- (empty) - - - - - FBzliCXoEipv0oEM8
application/zip
Thanks,
Mike
On Thu, Jun 30, 2016 at 12:02 AM Seth Hall <seth at icir.org> wrote:
>
> > On Jun 29, 2016, at 6:58 PM, Michael Fry <michael.fry at morphick.com>
> wrote:
> >
> > I've been able to narrow down the circumstances where we see this core
> dump. In the dozens of times that I've seen it, the file being extracted is
> always delivered over HTTP via the BITS client.
>
> Could you send the script that you are using which causes this problem?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160725/422fc7b5/attachment.html
More information about the Bro
mailing list