[Bro] Running Bro on Alpine

Mike M turbidtarantula at gmail.com
Wed Sep 19 06:18:52 PDT 2018 

Thanks Daniel T and Daniel G.

I verified that no Bro processes were running before running broctl, but
still I'm seeing the same behavior as Daniel G.

Please let me know if I can assist any further with debugging.

cheers,
Mike

On Tue, Sep 18, 2018 at 4:29 PM Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

> Just tried it, for now I can only confirm your problem
>
> /tmp/bro # /usr/local/bro/bin/broctl start
> starting bro ...
> (bro still initializing)
> /tmp/bro # /usr/local/bro/bin/broctl status
> Name         Type       Host          Status    Pid    Started
> bro          standalone localhost     crashed
>
> this might help , dmesg output
>
> device eth0 entered promiscuous mode
> traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb
> sp:7f92f1a40880 error:0
>  in ld-musl-x86_64.so.1[7f92f1848000+8d000]
> bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp
> 00007ffd5d7bbaa8 error 15
> bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp
> 00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000]
> and the ps aux output
>
>   364 root      0:00 {run-bro} /bin/bash
> /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl
> -p broctl-live -p standalone -p local -p bro local.bro broctl
> broctl/standalone broctl
>   370 root      0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl
> -p broctl-live -p standalone -p local -p bro local.bro broctl
> broctl/standalone broctl/auto
>   372 root      0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl
> -p broctl-live -p standalone -p local -p bro local.bro broctl
> broctl/standalone broctl/auto
>
>
> Op 18/09/2018 om 20:23 schreef Mike M:
>
> Daniel,
>
> Thanks for the help. I rebuilt bro with those patches (although they look
> identical to the ones I referenced earlier), making sure to grab all the
> dependencies listed in the docker file.
>
> I'm still seeing broctl report that bro crashed. However, what I failed to
> notice before is that there are actually several bro processes running and
> bro is still producing logs even when broctl report it has crashed.
>
> I suppose I could roll my own scripts to start and stop bro, but I'd
> prefer to actually get broctl working on alpine. Any ideas as to why it's
> reporting inaccurate information?
>
> thanks,
> Mike
>
> On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra <daniel.guerra69 at gmail.com>
> wrote:
>
>> Check out
>>
>>
>> For alpine linux you need some patches
>>
>> https://github.com/blacktop/docker-bro/tree/master/2.5
>>
>>
>> Regards,
>>
>>
>> Daniel
>> Op 18/09/2018 om 17:18 schreef Mike M:
>>
>> Hello,
>>
>> I’m trying to compile and run Bro on Alpine Linux and I’m having an issue
>> with broctl crashing.
>>
>> Out of the box running ./configure and make using the bro 2.5.5 source I
>> get a bunch of errors like that “'u_char' does not name a type” [1].
>>
>> I found this project for compiling Bro on Alpine [2]. The build-bro.sh.
>> script includes two patch files and a cmake file [3]. Manually applying
>> those three files gets Bro to the point where it compiles successfully.
>>
>> Bro will run fine from the command line, but running broctl it crashes
>> almost immediately [4]. Broctl reports Bro as crashed, but it briefly
>> produces all the log files I'd expect (conn, dns, etc). There's nothing
>> useful in the stdout, stderr or reporter logs.
>>
>> I built bro with --enable-debug, I've got gdb installed, and I set
>> "ulimit -c unlimited" but I don't see a crash dump anywhere.
>>
>> In the absence of any error messages I'm unsure on how to proceed. Can
>> anyone recommend next steps?
>>
>> thanks,
>> Mike
>>
>> [1] see compile error.txt (attached)
>> [2] https://github.com/danielguerra69/docker-bro-1
>> [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source
>> [4] see broctl crash.txt (attached)
>>
>>
>> _______________________________________________
>> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/08ef3bd5/attachment.html

More information about the Bro mailing list