[Zeek] Zeek crashed

Keith M WPKM at msn.com
Fri Aug 9 05:35:40 PDT 2019 

Hi Justin ,

I only use zeek for parsing of the packets into logs. The logging directory is monitored by a Splunk UF that sends the logs to Splunk. Is there a way to disable any scripts and all IDS scripts and filters but still get the zeek logs to parse correctly. My configuration is all default. I never touched any scripts except to reduce timeouts on DNS waiting for a response.

Thanks
Keith

Sent from my iPhone

On Aug 8, 2019, at 7:30 PM, Justin Azoff <justin at corelight.com<mailto:justin at corelight.com>> wrote:

Hi,

The first thing I would do is use gdb to see what script is being executed there.  Specifically if it is one of the stock scripts or perhaps a custom one you have installed.  This is sort of described on https://www.zeek.org/support/reporting-problems.html but from that gdb session if you paste

up
print this->location->filename
print this->location->first_line


a few times it should start giving your filenames and line numbers.

Are you loading any scripts that call Log::add_filter or other Log:: functions?  A crash inside CheckFilterWriterConflict likely points to something odd being done with log filters.

On Thu, Aug 8, 2019 at 5:47 PM Keith M <WPKM at msn.com<mailto:WPKM at msn.com>> wrote:
I'm new to Zeek. I noticed my Zeek is crashing every few days. I have the below bt

Core was generated by `/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.b'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) ()
(gdb) bt
#0  0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) ()
#1  0x000000000089999f in logging::Manager::Write(EnumVal*, RecordVal*) ()
#2  0x00000000005d5436 in BifFunc::Log::bro___write(Frame*, ValPList*) ()
#3  0x00000000005e502f in BuiltinFunc::Call(ValPList*, Frame*) const ()
#4  0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()
#5  0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()
#6  0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()
#7  0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()
#8  0x000000000063aee4 in ExprStmt::Exec(Frame*, stmt_flow_type&) const ()
#9  0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()
#10 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()
#11 0x00000000005ade1a in EventHandler::Call(ValPList*, bool) ()
#12 0x00000000005ad106 in EventMgr::Drain() ()
#13 0x0000000000601b49 in net_run() ()
#14 0x000000000055e4a3 in main ()

I'm not sure what do make out of it. Everything was stable until two things changed. I went from stand alone to clustermode on the one server as I brought in another interface for a different set of networks. So now there are two network interfaces receiving packets in a cluster on one physical server. Any troubleshooting steps appreciated.

thanks
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190809/63bd7cd2/attachment.html

More information about the Zeek mailing list