[Zeek] tcmalloc large alloc

Rogers, Zach Zach.Rogers at oregonstate.edu
Sat May 18 16:34:05 PDT 2019 

Thanks Justin! I will see if we can do some testing on our end – If so I will report back.


--
Zach Rogers
Lead Security Analyst
Security and Network Monitoring
Oregon Research & Teaching Security Operations Center (ORTSOC)
Phone: 541.737.7723
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52


From: Justin Azoff <justin at corelight.com>
Date: Saturday, May 18, 2019 at 4:32 PM
To: "Rogers, Zach" <Zach.Rogers at oregonstate.edu>
Cc: Seth Hall <seth at corelight.com>, "Nead-Work, Alexander" <Alexander.Nead-Work at oregonstate.edu>, "zeek at zeek.org" <zeek at zeek.org>
Subject: Re: [Zeek] tcmalloc large alloc

There's an issue here: https://github.com/zeek/zeek/issues/245

I believe the problem was fixed with https://github.com/zeek/zeek/commit/78dcbcc71ac09d3dd8a213f658ee8e794bb1bcd9 or https://github.com/zeek/zeek/commit/6598fe991d26bd15e483fcd96ea72bb161143d4e but it has not been confirmed yet,

On Sat, May 18, 2019 at 7:05 PM Rogers, Zach <Zach.Rogers at oregonstate.edu<mailto:Zach.Rogers at oregonstate.edu>> wrote:
Hey Seth,

Did you have a chance to look into this?

If anyone else has any input that would be helpful as well!

All the best,

--
Zach Rogers
Lead Security Analyst
Security and Network Monitoring
Oregon Research & Teaching Security Operations Center (ORTSOC)
Phone: 541.737.7723
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52

On 3/27/19, 10:57 AM, "Seth Hall" <seth at corelight.com<mailto:seth at corelight.com>> wrote:



    On 27 Mar 2019, at 11:54, Zander Work wrote:

    > The first two showing ??:0 makes sense b/c those are memory addresses.
    > It looks like the PE analyzer might be the culprit but I'm not sure.

    Yep, I knew the first two would look like that.  It's ASLR being applied
    to glibc function (which is fine and not what I was interested in
    anyway).  It did end up showing what I expected it to.  I'll look around
    a little bit and see if anything makes sense.

    Thanks!
       .Seth

    --
    Seth Hall * Corelight, Inc * www.corelight.com<http://www.corelight.com>



_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190518/de4dadaa/attachment.html

More information about the Zeek mailing list