[Bro] Getting a Broctl Stack Trace

Mike M turbidtarantula at gmail.com
Tue Nov 20 14:43:28 PST 2018


Thank you for the suggestion. Adding that setting to broctl.cfg didn't make
a difference, but I did notice that when I run broctl deploy I get "(bro
still initializing)" at the end. Since I don't normally see that it makes
me think something isn't coming up correctly, rather than an actual
segfault.

Are there other options I should try setting in broctl.cfg, or anything
else I can do to diagnose what's not working as broctl expects?

thanks,
Mike

On Fri, Nov 16, 2018 at 9:59 PM Azoff, Justin S <jazoff at illinois.edu> wrote:

> I'm not 100% sure about the root cause, but I know one thing that may
> help.. there's a code path for 'broctl start' that will say something has
> "crashed" when it is "not running".. but "not running" doesn't have to be a
> segfault... just that it didn't fully initialize in the way that broctl was
> expecting it to.
>
>
> Hosom was also looking into this today and said he was seeing:
>
>
> warning in /usr/local/bro/share/bro/base/init-bare.bro, line 1: problem
> initializing NB-DNS: no valid nameservers in resolver config
>
>
> It may be a red herring, but that's easy to rule out:
>
>
> add
>
>
> env_vars=BRO_DNS_FAKE=1
>
>
> to broctl.cfg
>
>
> and deploy and see if things start properly with real DNS disabled.
>
>
> ------------------------------
> *From:* bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Mike M <
> turbidtarantula at gmail.com>
> *Sent:* Tuesday, November 13, 2018 11:22:10 AM
> *To:* seth at corelight.com
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Getting a Broctl Stack Trace
>
> I gave this a shot but I'm still not seeing a core file. I tried both the
> setting you recommended and setting an absolute path to /tmp. When I force
> a core dump on another process the core file shows up as expected, but
> broctl isn't producing one.
>
> I'm open to suggestions on this one... not sure how to determine the root
> cause.
>
> thanks,
> Mike
>
> On Mon, Nov 5, 2018 at 5:01 PM Seth Hall <seth at corelight.com> wrote:
>
> Make sure you are setting the core pattern on your system so that the
> core dump will be written into the CWD.
>
> sudo sysctl -w kernel.core_pattern="core.%e-%t-%p"
>
>    .Seth
>
> On 2 Nov 2018, at 12:51, Mike M wrote:
>
> > I'm having an issue with broctl crashing when I try to run it on
> > Alpine
> > Linux. I mentioned it previously [1] but I'm circling back around to
> > try to
> > get it resolved. I've built it with the appropriate patches [2] but
> > broctl
> > is still reporting "crashed" state when I checks the status after
> > starting
> > it. The bro binary itself runs fine.
> >
> > What do I need to do to collect a stack trace from broctl to determine
> > the
> > root cause?
> >
> > Bro is built in debug mode and I set "ulimit -c unlimited" per the
> > instructions on reporting problems. I see a
> >
> /usr/local/bro/spool/tmp/post-terminate-standalone-2018-11-02-02-56-06-13765-crash
> > directory but there's no core dump anywhere obvious. The
> > .crash-diag.out
> > file says "No core file found" and doesn't provide any useful
> > information
> > about the cause of the crash.
> >
> > Thanks,
> > Mike
> >
> > [1]
> >
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013580.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_pipermail_bro_2018-2DSeptember_013580.html&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=6-Snv23fdhhesPXq1ctSBZKMk7OC-nGgFfdKgfxFczA&e=>
> > [2]
> >
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013581.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_pipermail_bro_2018-2DSeptember_013581.html&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=isM59BgpWPxaWENNIit-XpqFwCdcUtlDM2P3prrsMk8&e=>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=deY5uW7Ow0QD4FZmgjaC7hwBcdB5GPcZ52CcOiq2m8Q&e=>
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.corelight.com&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=XNJ9sWJIJe1PnbIhx0wdY5wWHuR6-JXLc9LyKMMaaeY&s=bXYMmbM6QwdeBb_Dnnc91CEJSnxe-T7MPXIPjs_b2us&e=>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181120/2fece635/attachment.html 


More information about the Bro mailing list