[Bro] Segmentation fault while using own signature.

Zeolla@GMail.com zeolla at gmail.com
Wed Jan 18 09:16:45 PST 2017 

I've run into issues with getting core dumps in the past.  I documented
some of them as comments against broala KBs, but I'm not sure where those
exist now that it has been renamed.  What OS are you running?  Recalling
from memory, there are different things that can stop successful cores
using the afore-mentioned config depending on the platform (I think it was
ABRT?).  Happy to pull that back up again if you continue to have an issue.

Jon

On Wed, Jan 18, 2017 at 12:03 PM fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Hi Seth,
>
> Thanks for the suggestions, still getting No core dump:
>
> $ less /etc/security/limits.conf
> #Editing the core dump limit to unlimited for Bro debugging
> #*               soft    core            0
> *               soft    core            unlimited
>
> $ less .crash-diag.out
> No core file found.
>
> Bro 2.5
> Linux 3.10.0-327.36.3.el7.x86_64
>
> Bro plugins: (none found)
>
> ==== No reporter.log
>
> <Truncated>
>
> I will check to see what am I missing.
>
> Thanks,
> Fatema.
>
> On Tue, Jan 17, 2017 at 10:58 PM, Seth Hall <seth at icir.org> wrote:
>
>
> > On Jan 17, 2017, at 4:07 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
> > Also, I m starting bro with following commands on manager:
> > sudo -u bro /usr/local/bro/2.5/bin/broctl install
> > sudo -u bro /usr/local/bro/2.5/bin/broctl restart
> >
> > However, when seeing the crash report on the sensor, it says No core
> file was found:
> > (Any idea, why broctl isn't generating the core dump, or do I have to
> include any file in local.bro for the same?)
>
> Ah!  I suspect the problem is that you're starting Bro as the Bro user
> which probably doesn't have permission to increase it's maximum core file
> size to unlimited.
>
> You can edit /etc/security/limits.conf and add the following line to it...
>
> *  soft  core  unlimited
>
> That should make it possible for Bro to have arbitrarily large core dumps.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Jon

Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170118/a7f61975/attachment.html

More information about the Bro mailing list