[Bro] Segmentation fault while using own signature.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 18 09:27:23 PST 2017 

Hi Jon,

Thanks for lending some help. Appreciate it.
We are running CentOS on our bro sensors as well as on manager.

Here's the full info:
Linux sensor1.xx.xx 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.2.1511 (Core)

Thanks,
Fatema.


On Wed, Jan 18, 2017 at 12:16 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:

> I've run into issues with getting core dumps in the past.  I documented
> some of them as comments against broala KBs, but I'm not sure where those
> exist now that it has been renamed.  What OS are you running?  Recalling
> from memory, there are different things that can stop successful cores
> using the afore-mentioned config depending on the platform (I think it was
> ABRT?).  Happy to pull that back up again if you continue to have an issue.
>
> Jon
>
> On Wed, Jan 18, 2017 at 12:03 PM fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> Hi Seth,
>>
>> Thanks for the suggestions, still getting No core dump:
>>
>> $ less /etc/security/limits.conf
>> #Editing the core dump limit to unlimited for Bro debugging
>> #*               soft    core            0
>> *               soft    core            unlimited
>>
>> $ less .crash-diag.out
>> No core file found.
>>
>> Bro 2.5
>> Linux 3.10.0-327.36.3.el7.x86_64
>>
>> Bro plugins: (none found)
>>
>> ==== No reporter.log
>>
>> <Truncated>
>>
>> I will check to see what am I missing.
>>
>> Thanks,
>> Fatema.
>>
>> On Tue, Jan 17, 2017 at 10:58 PM, Seth Hall <seth at icir.org> wrote:
>>
>>
>> > On Jan 17, 2017, at 4:07 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>
>> > Also, I m starting bro with following commands on manager:
>> > sudo -u bro /usr/local/bro/2.5/bin/broctl install
>> > sudo -u bro /usr/local/bro/2.5/bin/broctl restart
>> >
>> > However, when seeing the crash report on the sensor, it says No core
>> file was found:
>> > (Any idea, why broctl isn't generating the core dump, or do I have to
>> include any file in local.bro for the same?)
>>
>> Ah!  I suspect the problem is that you're starting Bro as the Bro user
>> which probably doesn't have permission to increase it's maximum core file
>> size to unlimited.
>>
>> You can edit /etc/security/limits.conf and add the following line to it...
>>
>> *  soft  core  unlimited
>>
>> That should make it possible for Bro to have arbitrarily large core dumps.
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
> Sent from my mobile device
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170118/58b96773/attachment-0001.html

More information about the Bro mailing list