[Bro] Getting a Broctl Stack Trace

Azoff, Justin S jazoff at illinois.edu
Fri Nov 16 18:59:39 PST 2018


I'm not 100% sure about the root cause, but I know one thing that may help.. there's a code path for 'broctl start' that will say something has "crashed" when it is "not running".. but "not running" doesn't have to be a segfault... just that it didn't fully initialize in the way that broctl was expecting it to.


Hosom was also looking into this today and said he was seeing:


warning in /usr/local/bro/share/bro/base/init-bare.bro, line 1: problem initializing NB-DNS: no valid nameservers in resolver config


It may be a red herring, but that's easy to rule out:


add


env_vars=BRO_DNS_FAKE=1


to broctl.cfg


and deploy and see if things start properly with real DNS disabled.


________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Mike M <turbidtarantula at gmail.com>
Sent: Tuesday, November 13, 2018 11:22:10 AM
To: seth at corelight.com
Cc: bro at bro.org
Subject: Re: [Bro] Getting a Broctl Stack Trace

I gave this a shot but I'm still not seeing a core file. I tried both the setting you recommended and setting an absolute path to /tmp. When I force a core dump on another process the core file shows up as expected, but broctl isn't producing one.

I'm open to suggestions on this one... not sure how to determine the root cause.

thanks,
Mike

On Mon, Nov 5, 2018 at 5:01 PM Seth Hall <seth at corelight.com<mailto:seth at corelight.com>> wrote:
Make sure you are setting the core pattern on your system so that the
core dump will be written into the CWD.

sudo sysctl -w kernel.core_pattern="core.%e-%t-%p"

   .Seth

On 2 Nov 2018, at 12:51, Mike M wrote:

> I'm having an issue with broctl crashing when I try to run it on
> Alpine
> Linux. I mentioned it previously [1] but I'm circling back around to
> try to
> get it resolved. I've built it with the appropriate patches [2] but
> broctl
> is still reporting "crashed" state when I checks the status after
> starting
> it. The bro binary itself runs fine.
>
> What do I need to do to collect a stack trace from broctl to determine
> the
> root cause?
>
> Bro is built in debug mode and I set "ulimit -c unlimited" per the
> instructions on reporting problems. I see a
> /usr/local/bro/spool/tmp/post-terminate-standalone-2018-11-02-02-56-06-13765-crash
> directory but there's no core dump anywhere obvious. The
> .crash-diag.out
> file says "No core file found" and doesn't provide any useful
> information
> about the cause of the crash.
>
> Thanks,
> Mike
>
> [1]
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013580.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_pipermail_bro_2018-2DSeptember_013580.html&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=6-Snv23fdhhesPXq1ctSBZKMk7OC-nGgFfdKgfxFczA&e=>
> [2]
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013581.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_pipermail_bro_2018-2DSeptember_013581.html&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=isM59BgpWPxaWENNIit-XpqFwCdcUtlDM2P3prrsMk8&e=>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=deY5uW7Ow0QD4FZmgjaC7hwBcdB5GPcZ52CcOiq2m8Q&e=>

--
Seth Hall * Corelight, Inc * www.corelight.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.corelight.com&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=bXYMmbM6QwdeBb_Dnnc91CEJSnxe-T7MPXIPjs_b2us&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181117/f8e47c37/attachment.html 


More information about the Bro mailing list