[Bro] Segmentation fault while using own signature.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 18 11:30:34 PST 2017


Thanks Jon for the links!

Thanks Justin for alternative.

We have our cluster in production, hence currently that sig file is
disabled so that the cluster runs properly.
Hence, to recreate the seg fault issue this time, rather than enabling it
for the whole cluster, I just enabled it (in local.bro) for the previous
version
of bro that we still have around, and ran a single bro process for that old
version, as you suggested.
This time I was able to generate core dump for that single process.

I ran the core dump through the crash-diag script:

==========================================================================
$ /usr/local/bro/2.4.1/share/broctl/scripts/crash-diag /tmp/brotest/

Bro 2.5
Linux 3.10.0-327.36.3.el7.x86_64

core.bro-1484765328-89288

Core was generated by `/usr/local/bro/2.4.1/bin/bro -i eth2 local'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005ed589 in Func::Func (this=0x7ffd504940e0) at
/home/fa/bro-2.5/src/Func.cc:63

Thread 1 (LWP 89288):
#0  0x00000000005ed589 in Func::Func (this=0x7ffd504940e0) at
/home/fa/bro-2.5/src/Func.cc:63
#1  0x00000000047dfaf0 in ?? ()
#2  0x00007ffd504940e0 in ?? ()
#3  0x0000000000000000 in ?? ()

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== prof.log
1484765327.517900 TCP-States:        Inact.  Syn.    SA      Part.   Est.
 Fin.    Rst.
1484765327.517900 TCP-States:Inact.                          454     1611
 19      7
1484765327.517900 TCP-States:Syn.    2360                    1027    12
 262     34
1484765327.517900 TCP-States:SA      31                      22
1484765327.517900 TCP-States:Part.   807                     6489    1036
 824     18
1484765327.517900 TCP-States:Est.                                    13778
  3785    97
1484765327.517900 TCP-States:Fin.    61                      619     3114
 2401    33
1484765327.517900 TCP-States:Rst.    27                      14      106
  45      7
1484765327.517900 Connections expired due to inactivity: 37736
1484765327.517900 Total reassembler data: 21844K

==== packet_filter.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   packet_filter
#open   2017-01-18-13-44-17
#fields ts      node    filter  init    success
#types  time    string  string  bool    bool
1484765057.522496       bro     ip or not ip    T       T

==== loaded_scripts.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   loaded_scripts
#open   2017-01-18-13-44-17
#fields name
#types  string
/usr/local/bro/2.4.1/share/bro/base/init-bare.bro
  /usr/local/bro/2.4.1/share/bro/base/bif/const.bif.bro
.......... (And a whole lot of loaded scripts, truncated)

=============================================================================

The interesting thing is, I don't have such folder as: /home/fa/
*bro-2.5/src*/Func.cc:63 in the home dir on that machine, where the error
reported  according to coredump.
But located the Func.cc file and saw the function where the seg fault was
reported:

Func::Func() : scope(0), type(0)
        {
        unique_id = unique_ids.size();
        unique_ids.push_back(this);
        }

Don't have much intuition though, that what have caused it :/

Thanks,
Fatema.

On Wed, Jan 18, 2017 at 12:33 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jan 18, 2017, at 11:56 AM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hi Seth,
> >
> > Thanks for the suggestions, still getting No core dump:
>
> I'd just run bro from a shell.. you said it crashes pretty quickly right?
>
> sudo su -
> mkdir /tmp/brotest
> cd /tmp/brotest
> ulimit -c unlimited
> /usr/local/bro/2.5/bin/bro -i eth0 local
>
> then it should crash and dump the core file right there.
>
> (replace eth0 with whatever)
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170118/a2452335/attachment-0001.html 


More information about the Bro mailing list