[Bro] Broctl segmentation fault

Sean Hutchison shutchison at cert.org
Fri Oct 5 04:55:30 PDT 2018 

Ya, first install librdkafka (there’s probably a newer version – make sure it supports your Kafka broker version) …
curl --silent -L -k https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz
cd librdkafka-0.9.5
./configure
make
make install

Then get bro-plugins repo and build kafka plugin against version of Bro you’re using by pointing it to where you extracted bro source…
git clone https://github.com/bro/bro-plugins.git
cd bro-plugins/kafka/
./configure --bro-dist=/path/to/bro-2.#.#
make && make install

Confirm with…
bro -N Bro::Kafka

See https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html for example configurations.

V/R
Sean

From: Zeolla at GMail.com [mailto:zeolla at gmail.com]
Sent: Thursday, October 04, 2018 5:06 PM
To: Sean Hutchison <shutchison at cert.org>
Cc: Johanna Amann <johanna at icir.org>; bro at bro.org
Subject: Re: [Bro] Broctl segmentation fault

If you don't mind, can you share the steps you took to build and install the plug-in?  What version?

Jon
On Thu, Oct 4, 2018, 13:23 Sean Hutchison <shutchison at cert.org<mailto:shutchison at cert.org>> wrote:
Yes, and I just removed the Bro Kafka plugin and no more error!

Thank you so much.

V/R
Sean

-----Original Message-----
From: Johanna Amann [mailto:johanna at icir.org<mailto:johanna at icir.org>]
Sent: Thursday, October 04, 2018 11:36 AM
To: Sean Hutchison <shutchison at cert.org<mailto:shutchison at cert.org>>
Cc: Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>>; bro at bro.org<mailto:bro at bro.org>
Subject: Re: [Bro] Broctl segmentation fault

Hi,

Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)?

They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead).

If that is the case - either recompiling or removing the binary plugins will fix this.

Johanna

On 4 Oct 2018, at 5:01, Sean Hutchison wrote:

> # bro -v
> bro version 2.5.5
>
> # bro -NN
> Segmentation fault
>
> # bro -b -i lo
> listening on lo
>
> ^C1538653437.070325 received termination signal
> 1538653437.070325 208 packets received on interface lo, 0 dropped
>
> # bro -i lo
> Segmentation fault
>
> # bro -i lo local
> Segmentation fault
>
> # ldd /opt/bro/bin/bro
>         linux-vdso.so.1 =>  (0x00007fff99dfd000)
>         libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000)
>         libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000)
>         libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000)
>         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000)
>         libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000)
>         libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000)
>         libtcmalloc.so.4 => /lib64/libtcmalloc.so.4
> (0x00007f148dd9b000)
>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000)
>         libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000)
>         libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000)
>         libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000)
>         libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000)
>         libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000)
>         libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
> (0x00007f148cb42000)
>         libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000)
>         libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000)
>         libk5crypto.so.3 => /lib64/libk5crypto.so.3
> (0x00007f148c423000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000)
>         libkrb5support.so.0 => /lib64/libkrb5support.so.0
> (0x00007f148c215000)
>         libkeyutils.so.1 => /lib64/libkeyutils.so.1
> (0x00007f148c011000)
>         libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000)
>         libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000)
>
> No custom scripts being loaded via local.bro Nothing in particular -
> did yum install/update of RedHat-based dependencies according to
> https://www.bro.org/sphinx/install/install.html#required-dependencies
> Although I did build it against pfring first, using yum package from
> ntop repo - same issue, have since removed that and did regular build
>
> Only configure switch was --prefix.
>
> V/R
> Sean
>
> -----Original Message-----
> From: Azoff, Justin S [mailto:jazoff at illinois.edu<mailto:jazoff at illinois.edu>]
> Sent: Wednesday, October 03, 2018 3:01 PM
> To: Sean Hutchison <shutchison at cert.org<mailto:shutchison at cert.org>>
> Cc: bro at bro.org<mailto:bro at bro.org>
> Subject: Re: [Bro] Broctl segmentation fault
>
>
>> On Oct 3, 2018, at 2:46 PM, Sean Hutchison <shutchison at cert.org<mailto:shutchison at cert.org>>
>> wrote:
>>
>> Hello,
>>
>> After any build of Bro with Broctl 1.7, I’m experiencing the below
>> error when broctl/scripts/check-config is run…
>>
>> /opt/bro/share/broctl/scripts/check-config: line 50:  4463
>> Segmentation fault      "${bro}" $check_option "$@"
>>
>> Anyone encountered this before? Cannot bypass doing broctl check –
>> broctl start results in failed/crashed processes.
>>
>> This is on RHEL7.5, after building Bro-2.5.5 (I’ve tried other minor
>> versions since 2.5 – same issue).
>>
>> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5
>> works fine.
>>
>> Any help would be greatly appreciated.
>>
>
> check runs bro with the current configuration to see if it can start,
> so that's bro segfaulting there.. that's why start also fails..
>
> What do you get if you try each of the following?
>
>     bro -v
>     bro -NN # just see if this runs or crashes
>     bro -b -i lo
>     bro -i lo
>     bro -i lo local
>
> You can hit control-c if any of those start successfully to get your
> prompt back.
>
> I'm not aware of any issues like this, so it could be something with
> your configuration.
>
> Do you have a customized local.bro at all?
> Are you building bro against a particular libpcap or malloc
> implementation?
> What does ldd /opt/bro/bin/bro output?
>
>> Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/8b314469/attachment-0001.html

More information about the Bro mailing list