[Bro] Broctl segmentation fault

Zeolla@GMail.com zeolla at gmail.com
Fri Oct 5 09:36:00 PDT 2018 

Sounds like you are looking at a very old version of the plugin, since
bro/bro-plugins has been completely deprecated at this point.  Can you use
bro-pkg to install apache/metron-bro-plugin-kafka?  It should be a bit more
robust and up to date.  Let me know if you have any issues when taking this
approach.

Jon

On Fri, Oct 5, 2018, 07:55 Sean Hutchison <shutchison at cert.org> wrote:

> Ya, first install librdkafka (there’s probably a newer version – make sure
> it supports your Kafka broker version) …
>
> curl --silent -L -k
> https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz
>
> cd librdkafka-0.9.5
>
> ./configure
>
> make
>
> make install
>
>
>
> Then get bro-plugins repo and build kafka plugin against version of Bro
> you’re using by pointing it to where you extracted bro source…
>
> git clone https://github.com/bro/bro-plugins.git
>
> cd bro-plugins/kafka/
>
> ./configure --bro-dist=/path/to/bro-2.#.#
>
> make && make install
>
>
>
> Confirm with…
>
> bro -N Bro::Kafka
>
>
>
> See
> https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html
> for example configurations.
>
>
>
> V/R
>
> Sean
>
>
>
> *From:* Zeolla at GMail.com [mailto:zeolla at gmail.com]
> *Sent:* Thursday, October 04, 2018 5:06 PM
> *To:* Sean Hutchison <shutchison at cert.org>
> *Cc:* Johanna Amann <johanna at icir.org>; bro at bro.org
>
>
> *Subject:* Re: [Bro] Broctl segmentation fault
>
>
>
> If you don't mind, can you share the steps you took to build and install
> the plug-in?  What version?
>
>
>
> Jon
>
> On Thu, Oct 4, 2018, 13:23 Sean Hutchison <shutchison at cert.org> wrote:
>
> Yes, and I just removed the Bro Kafka plugin and no more error!
>
> Thank you so much.
>
> V/R
> Sean
>
> -----Original Message-----
> From: Johanna Amann [mailto:johanna at icir.org]
> Sent: Thursday, October 04, 2018 11:36 AM
> To: Sean Hutchison <shutchison at cert.org>
> Cc: Azoff, Justin S <jazoff at illinois.edu>; bro at bro.org
> Subject: Re: [Bro] Broctl segmentation fault
>
> Hi,
>
> Is there a change that you have binary plugins installed (netmap plugin, a
> few bro-pkg ones)?
>
> They can cause crashes exactly like this. This behavior is fixed with Bro
> 2.6 (it will output an error message instead).
>
> If that is the case - either recompiling or removing the binary plugins
> will fix this.
>
> Johanna
>
> On 4 Oct 2018, at 5:01, Sean Hutchison wrote:
>
> > # bro -v
> > bro version 2.5.5
> >
> > # bro -NN
> > Segmentation fault
> >
> > # bro -b -i lo
> > listening on lo
> >
> > ^C1538653437.070325 received termination signal
> > 1538653437.070325 208 packets received on interface lo, 0 dropped
> >
> > # bro -i lo
> > Segmentation fault
> >
> > # bro -i lo local
> > Segmentation fault
> >
> > # ldd /opt/bro/bin/bro
> >         linux-vdso.so.1 =>  (0x00007fff99dfd000)
> >         libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000)
> >         libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000)
> >         libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000)
> >         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000)
> >         libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000)
> >         libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000)
> >         libtcmalloc.so.4 => /lib64/libtcmalloc.so.4
> > (0x00007f148dd9b000)
> >         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000)
> >         libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000)
> >         libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000)
> >         libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000)
> >         libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000)
> >         libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000)
> >         libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
> > (0x00007f148cb42000)
> >         libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000)
> >         libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000)
> >         libk5crypto.so.3 => /lib64/libk5crypto.so.3
> > (0x00007f148c423000)
> >         /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000)
> >         libkrb5support.so.0 => /lib64/libkrb5support.so.0
> > (0x00007f148c215000)
> >         libkeyutils.so.1 => /lib64/libkeyutils.so.1
> > (0x00007f148c011000)
> >         libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000)
> >         libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000)
> >
> > No custom scripts being loaded via local.bro Nothing in particular -
> > did yum install/update of RedHat-based dependencies according to
> > https://www.bro.org/sphinx/install/install.html#required-dependencies
> > Although I did build it against pfring first, using yum package from
> > ntop repo - same issue, have since removed that and did regular build
> >
> > Only configure switch was --prefix.
> >
> > V/R
> > Sean
> >
> > -----Original Message-----
> > From: Azoff, Justin S [mailto:jazoff at illinois.edu]
> > Sent: Wednesday, October 03, 2018 3:01 PM
> > To: Sean Hutchison <shutchison at cert.org>
> > Cc: bro at bro.org
> > Subject: Re: [Bro] Broctl segmentation fault
> >
> >
> >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison <shutchison at cert.org>
> >> wrote:
> >>
> >> Hello,
> >>
> >> After any build of Bro with Broctl 1.7, I’m experiencing the below
> >> error when broctl/scripts/check-config is run…
> >>
> >> /opt/bro/share/broctl/scripts/check-config: line 50:  4463
> >> Segmentation fault      "${bro}" $check_option "$@"
> >>
> >> Anyone encountered this before? Cannot bypass doing broctl check –
> >> broctl start results in failed/crashed processes.
> >>
> >> This is on RHEL7.5, after building Bro-2.5.5 (I’ve tried other minor
> >> versions since 2.5 – same issue).
> >>
> >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5
> >> works fine.
> >>
> >> Any help would be greatly appreciated.
> >>
> >
> > check runs bro with the current configuration to see if it can start,
> > so that's bro segfaulting there.. that's why start also fails..
> >
> > What do you get if you try each of the following?
> >
> >     bro -v
> >     bro -NN # just see if this runs or crashes
> >     bro -b -i lo
> >     bro -i lo
> >     bro -i lo local
> >
> > You can hit control-c if any of those start successfully to get your
> > prompt back.
> >
> > I'm not aware of any issues like this, so it could be something with
> > your configuration.
> >
> > Do you have a customized local.bro at all?
> > Are you building bro against a particular libpcap or malloc
> > implementation?
> > What does ldd /opt/bro/bin/bro output?
> >
> > —
> > Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
-- 

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/922835d5/attachment.html

More information about the Bro mailing list