[Bro] [BRO-ISSUE]: bro crash when so many Repoter::Error calls
Jon Siwek
jsiwek at corelight.com
Mon Apr 2 08:03:38 PDT 2018
On 1/25/18 10:18 AM, Myth Ren wrote:
> I'm using bro 2.5.1 for network security monitoring , the message
> queue is kafka componment (the bro-to-kafka plugin version is v0.5.0,
> librdkafka version is v0.9.5).
The plugins from Bro v2.5.1 may be a bit old to continue using. I'd
generally suggest trying to update to newest version of everything.
> Below listed information is backtrace from core dump. (more on gist
> <https://gist.github.com/MythRen/b55220647ca28654c6f7e1db12ee6036>)
> #4 0x00000000005fee8f in Reporter::Error (this=<optimized out>,
> fmt=fmt at entry=0x7fe36c719d70 "Kafka send failed: %s") at
> /opt/download/bro/src/Reporter.cc:76 #5 0x00007fe36c717fa9 in
> logging::writer::KafkaWriter::DoWrite (this=0x6369270,
> num_fields=<optimized out>, fields=<optimized out>, vals=0x69d2080)
> at /opt/download/bro/aux/plugins/kafka/src/KafkaWriter.cc:156 #6
This is basically the problem: this version of KafkaWriter is directly
using Reporter calls and that's not thread-safe. Here would be the way
to fix it for your reference (in case you simply can't update things):
https://github.com/apache/metron-bro-plugin-kafka/commit/4968b6537f663c1de061d0cf0aedb42f43ab12ee
- Jon
More information about the Bro
mailing list