[Zeek] tcmalloc large alloc
Zander Work
zander.work at oregonstate.edu
Wed Mar 27 08:54:28 PDT 2019
I work with Zach, here are the symbols:
$ addr2line -e /usr/local/bro/bin/bro 0x7f72a12604ef 0x7f72a1280d56 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5
??:0
??:0
/home/zeek/bro-2.6.1/aux/binpac/lib/binpac_buffer.cc:119
/home/zeek/bro-2.6.1/aux/binpac/lib/binpac_buffer.cc:529
/home/zeek/bro-2.6.1/build/src/file_analysis/analyzer/pe/pe_pac.cc:1900
/home/zeek/bro-2.6.1/src/file_analysis/analyzer/pe/PE.cc:26
/home/zeek/bro-2.6.1/src/file_analysis/File.cc:440
/home/zeek/bro-2.6.1/src/file_analysis/File.cc:481
/home/zeek/bro-2.6.1/src/file_analysis/File.cc:540
/home/zeek/bro-2.6.1/src/file_analysis/Manager.cc:167
/usr/include/c++/4.8.2/bits/basic_string.h:583 (discriminator 3)
/home/zeek/bro-2.6.1/src/analyzer/protocol/mime/MIME.cc:1230
/home/zeek/bro-2.6.1/src/analyzer/protocol/http/HTTP.cc:217
/home/zeek/bro-2.6.1/src/analyzer/protocol/http/HTTP.cc:161
/home/zeek/bro-2.6.1/src/analyzer/protocol/http/HTTP.cc:947
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/ContentLine.cc:174
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/ContentLine.cc:110
/home/zeek/bro-2.6.1/src/analyzer/Analyzer.cc:245
/home/zeek/bro-2.6.1/src/analyzer/Analyzer.cc:331
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/TCP_Reassembler.cc:621
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/TCP_Reassembler.cc:375
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/TCP_Reassembler.cc:460
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/TCP_Endpoint.cc:210
/home/zeek/bro-2.6.1/src/analyzer/protocol/tcp/TCP.cc:989
/home/zeek/bro-2.6.1/src/analyzer/Analyzer.cc:222
/home/zeek/bro-2.6.1/src/Conn.cc:271
/home/zeek/bro-2.6.1/src/Sessions.cc:769
/home/zeek/bro-2.6.1/src/IP.h:382
/home/zeek/bro-2.6.1/src/Net.cc:272
/home/zeek/bro-2.6.1/src/iosource/PktSrc.cc:263
/home/zeek/bro-2.6.1/src/Net.cc:315
The first two showing ??:0 makes sense b/c those are memory addresses. It looks like the PE analyzer might be the culprit but I'm not sure.
Thanks for your help!
Zander Work | Security Analyst | Oregon Research & Teaching Security Operations Center (ORTSOC)
A008 Kerr Admin Bldg | Corvallis, OR 97331 | Phone: 541-737-9800
On Mar 27 2019, at 7:48 am, Seth Hall <seth at corelight.com> wrote:
>
> On 25 Mar 2019, at 15:33, Rogers, Zach wrote:
> > We have been seeing some crash reports on some of our nodes, regarding
> > a tcmalloc error. I was wondering if anyone else has seen this before
> > and if anyone has any suggestions on what the cause might be. We are
> > running Zeek 2.6. Here is an example stderr.log output from one of
> > these crashes:
>
>
> We've seen evidence before that there is a file analyzer freaking out
> with particular files and attempting to do these very large allocations.
> Unfortuantely we still don't have concrete indications about exactly
> what is causing the problem. It would be helpful for us if you
> converted those offsets into symbolic procedure names. You can do it
> this way (just specify the correct location for your binary)...
>
> addr2line -e /usr/local/bro/bin/bro 0x7f72a12604ef 0x7f72a1280d56
> 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd
> 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e
> 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd
> 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5
>
> .Seth
> --
> Seth Hall * Corelight, Inc * www.corelight.com
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190327/48245cf8/attachment.html
More information about the Zeek
mailing list