[Bro] Segmentation fault while using own signature.
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Jan 17 13:07:58 PST 2017
Hi Seth,
On one of our sensors, I did:
$ sudo sysctl -w kernel.core_pattern=core.%e-%t-%p
$ sudo sysctl -a | grep "kernel.core"
kernel.core_pattern = core.%e-%t-%p
Also, verified that I have gdb installed:
$ which gdb
/usr/bin/gdb
Also, I m starting bro with following commands on manager:
sudo -u bro /usr/local/bro/2.5/bin/broctl install
sudo -u bro /usr/local/bro/2.5/bin/broctl restart
However, when seeing the crash report on the sensor, it says No core file
was found:
(Any idea, why broctl isn't generating the core dump, or do I have to
include any file in local.bro for the same?)
$
cd /mnt/brolog/spool/tmp/post-terminate-worker-2017-01-17-15-50-21-90688-crash
$ less .crash-diag.out
No core file found.
Bro 2.5
Linux 3.10.0-327.36.3.el7.x86_64
Bro plugins: (none found)
==== No reporter.log
==== stderr.log
internal warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line
3: Discarded extraneous Broxygen comment: aashish: need to port to file
analysis framework
warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line 39:
dangerous assignment of double to integral (ConnStats::out$EstinboundConns
= ConnStats::result[EstinboundConns]$sum)
warning in /usr/local/bro/2.5/share/bro/site/connStats.bro, line 40:
dangerous assignment of double to integral (ConnStats::out$EstoutboundConns
= ConnStats::result[EstoutboundConns]$sum)
Warning: Kernel filter failed: Bad address
listening on em1
Warning: Kernel filter failed: Bad address
1484685887.668496 processing suspended
1484685887.668496 processing continued
/usr/local/bro/2.5/share/broctl/scripts/run-bro: line 107: 121052
Segmentation fault nohup ${pin_command} $pin_cpu "$mybro" "$@"
==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
==== .cmdline
-i em1 -U .status -p broctl -p broctl-live -p local -p worker-1-9 local.bro
broctl base/frameworks/cluster local-worker.bro broctl/auto
==== .env_vars
PATH=/usr/local/bro/2.5/bin:/usr/local/bro/2.5/share/broctl/scripts:/usr/local/bin:/usr/bin
BROPATH=/mnt/brolog/spool/installed-scripts-do-not-touch/site::/mnt/brolog/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/2.5/share/bro:/usr/local/bro/2.5/share/bro/policy:/usr/local/bro/2.5/share/bro/site
CLUSTER_NODE=worker-1-9
==== .status
RUNNING [net_run]
==== prof.log
1484686157.516259 TCP-States: Inact. Syn. SA Part. Est.
Fin. Rst.
1484686157.516259 TCP-States:Inact. 24 4
3 2
1484686157.516259 TCP-States:Syn. 118
1
1484686157.516259 TCP-States:SA 6
1484686157.516259 TCP-States:Part. 38 335
9 2
1484686157.516259 TCP-States:Est. 602
81 2
1484686157.516259 TCP-States:Fin. 3 5 3
107 1
1484686157.516259 TCP-States:Rst. 2
1484686157.516259 Connections expired due to inactivity: 1525
1484686157.516259 Total reassembler data: 1178K
==== No packet_filter.log
==== No loaded_scripts.log
On Fri, Jan 13, 2017 at 1:28 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Jan 13, 2017, at 12:06 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
> > ,
> > I wrote a little script to run gstack for all bro processes for every
> minute. And ran it when I loaded the new sig and restarted bro.
> > I have attached the output files for two sensors where I captured the
> gstack stats. Let me know if that's not the correct way of capturing stack
> trace.
>
> You need to collect a core dump when the crash happens and get a stack
> trace from that. If this is on Linux, you will need to set your
> kernel.core_pattern sysctl value to something like the following....
>
> sudo sysctl -w kernel.core_pattern=core.%e-%t-%p
>
> If you have things set this way and you have gdb installed, broctl should
> automatically generate a stack trace when it restarts the dead process.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170117/f5da7b3b/attachment.html
More information about the Bro
mailing list