[Bro] Segmentation fault while using own signature.

fatema bannatwala fatema.bannatwala at gmail.com
Tue Jan 17 13:07:58 PST 2017 

Hi Seth,

On one of our sensors, I did:
$ sudo sysctl -w kernel.core_pattern=core.%e-%t-%p

$ sudo sysctl -a | grep "kernel.core"
kernel.core_pattern = core.%e-%t-%p

Also, verified that I have gdb installed:
$ which gdb
/usr/bin/gdb

Also, I m starting bro with following commands on manager:
sudo -u bro /usr/local/bro/2.5/bin/broctl install
sudo -u bro /usr/local/bro/2.5/bin/broctl restart

However, when seeing the crash report on the sensor, it says No core file
was found:
(Any idea, why broctl isn't generating the core dump, or do I have to
include any file in local.bro for the same?)

$
cd /mnt/brolog/spool/tmp/post-terminate-worker-2017-01-17-15-50-21-90688-crash
$ less .crash-diag.out

No core file found.

Bro 2.5
Linux 3.10.0-327.36.3.el7.x86_64

Bro plugins: (none found)

==== No reporter.log

==== stderr.log
internal warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line
3: Discarded extraneous Broxygen comment: aashish: need to port to file
analysis framework
warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line 39:
dangerous assignment of double to integral (ConnStats::out$EstinboundConns
= ConnStats::result[EstinboundConns]$sum)
warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line 40:
dangerous assignment of double to integral (ConnStats::out$EstoutboundConns
= ConnStats::result[EstoutboundConns]$sum)
Warning: Kernel filter failed: Bad address
listening on em1

Warning: Kernel filter failed: Bad address
1484685887.668496 processing suspended
1484685887.668496 processing continued
/usr/local/bro/2.5/share/broctl/scripts/run-bro: line 107: 121052
Segmentation fault      nohup ${pin_command} $pin_cpu "$mybro" "$@"

==== stdout.log
max memory size         (kbytes, -m) unlimited
data seg size           (kbytes, -d) unlimited
virtual memory          (kbytes, -v) unlimited
core file size          (blocks, -c) unlimited

==== .cmdline
-i em1 -U .status -p broctl -p broctl-live -p local -p worker-1-9 local.bro
broctl base/frameworks/cluster local-worker.bro broctl/auto

==== .env_vars
PATH=/usr/local/bro/2.5/bin:/usr/local/bro/2.5/share/broctl/scripts:/usr/local/bin:/usr/bin
BROPATH=/mnt/brolog/spool/installed-scripts-do-not-touch/site::/mnt/brolog/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/2.5/share/bro:/usr/local/bro/2.5/share/bro/policy:/usr/local/bro/2.5/share/bro/site
CLUSTER_NODE=worker-1-9

==== .status
RUNNING [net_run]

==== prof.log
1484686157.516259 TCP-States:        Inact.  Syn.    SA      Part.   Est.
 Fin.    Rst.
1484686157.516259 TCP-States:Inact.                          24      4
  3       2
1484686157.516259 TCP-States:Syn.    118
          1
1484686157.516259 TCP-States:SA      6
1484686157.516259 TCP-States:Part.   38                      335
  9       2
1484686157.516259 TCP-States:Est.                                    602
  81      2
1484686157.516259 TCP-States:Fin.    3                       5       3
  107     1
1484686157.516259 TCP-States:Rst.                                    2
1484686157.516259 Connections expired due to inactivity: 1525
1484686157.516259 Total reassembler data: 1178K

==== No packet_filter.log

==== No loaded_scripts.log




On Fri, Jan 13, 2017 at 1:28 PM, Seth Hall <seth at icir.org> wrote:

>
> > On Jan 13, 2017, at 12:06 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
> > ,
> >   I wrote a little script to run gstack for all bro processes for every
> minute. And ran it when I loaded the new sig and restarted bro.
> > I have attached the output files for two sensors where I captured the
> gstack stats. Let me know if that's not the correct way of capturing stack
> trace.
>
> You need to collect a core dump when the crash happens and get a stack
> trace from that.  If this is on Linux, you will need to set your
> kernel.core_pattern sysctl value to something like the following....
>
> sudo sysctl -w kernel.core_pattern=core.%e-%t-%p
>
> If you have things set this way and you have gdb installed, broctl should
> automatically generate a stack trace when it restarts the dead process.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170117/f5da7b3b/attachment.html

More information about the Bro mailing list