hi,
I am using bro 0.7a48 version on openBSD 2.9.
(I have made some changes to it.)
I am getting an internal error while running bro on a specific case.
Any pointers on when does an 'internal error' occur ?
If anyone one could give some pointers/ideas as to what might be the type
of error that would be helpful.
this is what gdb 'where' returned:
---------------------------------------------------------------------
internal error: bad reference count
Program received signal SIGABRT, Aborted.
0x401716ff in _thread_sys_kill ()
(gdb) where
#0 0x401716ff in _thread_sys_kill ()
#1 0x4019d680 in abort ()
#2 0x167a7 in internal_error (fmt=0x1672a "%s",
arg=0x5bc9c "bad reference count") at util.cc:233
#3 0x16746 in internal_error (msg=0x5bc9c "bad reference count")
at util.cc:224
#4 0x5bcc3 in bad_ref () at Obj.cc:124
#5 0x3e574 in Frame::Release (this=0x4355e0) at Obj.h:93
#6 0x3e536 in Frame::~Frame (this=0x4355e0, __in_chrg=3) at Frame.cc:33
#7 0x3faba in BroFunc::Call (this=0x18f480, args=0x42f740) at Obj.h:94
#8 0x2986a in EventMgr::Dispatch (this=0xbf43c) at Event.h:38
#9 0x298b9 in EventMgr::Drain (this=0xbf43c) at Event.cc:107
#10 0x59cc6 in dispatch_next_packet () at Net.cc:250
#11 0x5a21d in net_run () at Net.cc:308
#12 0x33c1 in main (argc=6, argv=0xdfbfd82c) at main.cc:372
---------------------------------------------------------------------
This happened when it received a http packet.
thanks a lot
Ashley
> when we say:
> conn_val = new RecordVal(connection_type);
>
> How many fields are there in the created record ?
8, since that's how many are defined for the corresponding type in bro.init.
> Now after that when we say...
> conn_val->Assign(12, new StringVal(tm_string)); or
> conn_val->Assign(13, new StringVal(tm_string));
I don't know where you got those lines, but they won't work if you execute
them (follow the code executed by RecordVal::Assign).
> Is the size of the record increased dynamically depending on how many
> Assigns we make ?
No. You have to manually make sure that your assignments to the record
value in the event engine are consistent with the number of fields *and their
types* as defined in bro.init.
Vern
Hi,
I have another questions regarding bro(version 07a90).I'am testing the
capability
of bro to detect port scanner.After , i have found others problem:
1) It don't detect Fin, Xmas and Null scans.
2) Bro don't detect two time the seme scan betweent the same hosts on
the same ports.
3) It consume a great quantity of memory.
To resolve the first i have added a script to detect Fin, Xmas and Null
scans usuing the weird event their produce.And all works good.
To resolve the 2° and the 3°, i have added to scan.bro a recursive
function (that use bro delete function and a table of support) to delete
the record of the table scan_triples(is deleted also the table of support).
While the first problem seems to be resolved, the second is gotten worse.
There is a way to easy delete a subset of a table? or another way to
reduce the consume of memory of the scan analyzer?
Thanks.
Pierfrancesco Porcu.
