A couple folks have suggested I run this with gdb and get a backtrace to post here. Here is a quick gdb session with a backtrace of when I run bro -i dnacluster:21@0:
# gdb /nsm/bro/bin/bro
GNU gdb (GDB) SLES Expanded Support platform (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.
html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /nsm/bro/bin/bro...done.
(gdb) run -i dnacluster:21@0
Starting program: /nsm/bro/bin/bro -i dnacluster:21@0
[Thread debugging using libthread_db enabled]
listening on dnacluster:21@0, capture length 8192 bytes
[New Thread 0x7fff20fd0700 (LWP 36513)]
[New Thread 0x7fff1bfff700 (LWP 36514)]
[New Thread 0x7fff1b5fe700 (LWP 36515)]
[New Thread 0x7fff1abfd700 (LWP 36516)]
[New Thread 0x7fff1a1fc700 (LWP 36517)]
[New Thread 0x7fff197fb700 (LWP 36518)]
[New Thread 0x7fff18dfa700 (LWP 36519)]
[New Thread 0x7fff03fff700 (LWP 36520)]
[New Thread 0x7fff035fe700 (LWP 36521)]
[New Thread 0x7fff02bfd700 (LWP 36522)]
[New Thread 0x7fff021fc700 (LWP 36523)]
[New Thread 0x7fff017fb700 (LWP 36524)]
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7959506 in pcap_read_packet (handle=0x2631640,
callback=0x7ffff795d720 <pcap_oneshot>, userdata=0x7fffffffda20
"p\025c\002") at ./pcap-linux.c:1807
1807 ./pcap-linux.c: No such file or directory.
in ./pcap-linux.c
Missing separate debuginfos, use: debuginfo-install
GeoIP-1.5.1-5.el6.x86_64 glibc-2.12-1.149.el6_6.5.x86_64
keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-33.el6.x86_64
libcom_err-1.41.12-21.el6.x86_64 libgcc-4.4.7-11.el6.x86_64
libselinux-2.0.94-5.8.el6.x86_64 libstdc++-4.4.7-11.el6.x86_64
numactl-2.0.9-2.el6.x86_64 openssl-1.0.1e-30.el6_6.5.x86_64
zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0 0x00007ffff7959506 in pcap_read_packet (handle=0x2631640,
callback=0x7ffff795d720 <pcap_oneshot>, userdata=0x7fffffffda20
"p\025c\002") at ./pcap-linux.c:1807
#1 0x00007ffff795d79b in pcap_next (p=<value optimized out>, h=<value
optimized out>) at ./pcap.c:218
#2 0x0000000000a4a490 in iosource::pcap::PcapSource::ExtractNextPacket
(this=0x2631430, pkt=0x2631468) at/nsm/bro/git/bro2.3-419/bro/
src/iosource/pcap/Source.cc:151
#3 0x0000000000a7580c in iosource::PktSrc::ExtractNextPacketInternal
(this=0x2631430) at /nsm/bro/git/bro2.3-419/bro/src/iosource/PktSrc.cc:432
#4 0x0000000000a7511b in iosource::PktSrc::NextTimestamp
(this=0x2631430, local_network_time=0x7fffffffdcb8) at
/nsm/bro/git/bro2.3-419/bro/src/iosource/PktSrc.cc:241
#5 0x0000000000a71193 in iosource::Manager::FindSoonest (this=0xf29bc0,
ts=0x7fffffffddc8) at/nsm/bro/git/bro2.3-419/bro/
src/iosource/Manager.cc:82
#6 0x00000000007895d1 in net_run () at/nsm/bro/git/bro2.3-419/bro/
src/Net.cc:301
#7 0x00000000006d8ed7 in main (argc=3, argv=0x7fffffffe498) at
/nsm/bro/git/bro2.3-419/bro/src/main.cc:1200
On 2/24/2015 1:20 PM, John Donnelly wrote:
> Can you use gdb to get a backstrace ?
>
> ...
>
> ---------- Forwarded message ----------
> From: Gary Faulkner <gfaulkner.nsm(a)gmail.com>
> Date: Tue, Feb 24, 2015 at 12:23 PM
> Subject: [Bro] Bro 2.3.2-419 segfaults when using PF_RING 6.0.3 libpcap
> 1.6.2 and pfdnacluster_master on RHEL 6.6
> To: "bro(a)bro.org List" <bro(a)bro.org>
>
>
> Hello,
>
> I’m having trouble getting Bro to run with PF_RING after updating from RHEL
> 6.5 to RHEL 6.6. The PF_RING aware drivers (DNA/ZC etc) in the “stable”
> 6.0.2 branch of PF_RING don’t appear to compile correctly on RHEL 6.6,
> which necessitated a move to the latest 6.0.3 development branch
> (rev.9009). This version compiles fine and I have it working with both
> Suricata and nprobe, but can’t get it working with Bro. Bro doesn’t seem to
> be able to open the dnacluster:21@0 etc interfaces with the new version.
> Specifically bro segfaults when calling the PF_RING version of
> libpcap.so.1.6.2, which is a new version of libpcap in 6.0.3. Previously
> libpcap was 1.1.1. I have also tried to compile PF_RING 6.0.2 stable on
> RHEL 6.6 with the newer drivers, but the version of pfdnacluster_master
> that ships with PF_RING 6.0.2 stable (that uses the older libpcap) will
> silently crash on RHEL 6.6. I’ve attached the output of a broctl diag to
> this email. Typically when I've seen an error where bro can’t listen on
> dnacluster in the past it has been due to the interface already being in
> use, bro not being able to find pfring, or not compiling against the
> correct libpcap. I’ve verified this isn’t the case to the best of my
> ability (no other libpcap on the system, fresh dna driver load and instance
> of pfdnaclster_master, pfring in $PATH etc). I’ve also verified that I can
> see packets on the dnacluster interfaces by testing with pfcount. It looks
> like perhaps bro doesn’t like the new version of libpcap. I have tried
> compiling and running bro with debugging enabled, but bro seems to crash on
> the workers without generating anything in the various debug.log files. Any
> thoughts?
>
> Here are example error messages from /var/log/messages:
>
> kernel: bro[1653]: segfault at 1371670 ip 00007f5a9e7f0660 sp
> 00007fff8714b300 error 4 in libpcap.so.1.6.2[7f5a9e7d9000+90000]
> kernel: bro[1643]: segfault at 1371670 ip 00007ff16d19b660 sp
> 00007fff81eea9a0 error 4 in libpcap.so.1.6.2[7ff16d184000+90000]
> kernel: bro[1656]: segfault at 1371670 ip 00007fcf3c6cf660 sp
> 00007fff3e1789b0 error 4 in libpcap.so.1.6.2[7fcf3c6b8000+90000]
> kernel: bro[1644]: segfault at 1 ip 00007f5932268506 sp 00007fffcd3ea0b0
> error 4 in libpcap.so.1.6.2[7f5932251000+90000]
> kernel: bro[1642]: segfault at 1 ip 00007ff3d1c83506 sp 00007fff468f4930
> error 4 in libpcap.so.1.6.2[7ff3d1c6c000+90000]
> kernel: bro[1658]: segfault at 1371670 ip 00007f53584f2660 sp
> 00007ffff89515f0 error 4 in libpcap.so.1.6.2[7f53584db000+90000]
> kernel: bro[1652]: segfault at 1371670 ip 00007f158fbc7660 sp
> 00007fff14aa7e20 error 4 in libpcap.so.1.6.2[7f158fbb0000+90000]
> kernel: bro[1660]: segfault at 1371670 ip 00007f2fee8e7660 sp
> 00007ffff9dacaf0 error 4 in libpcap.so.1.6.2[7f2fee8d0000+90000]
> kernel: bro[1641]: segfault at 1 ip 00007f32fbc48506 sp 00007fff7d9b2a00
> error 4 in libpcap.so.1.6.2[7f32fbc31000+90000]
> kernel: bro[1662]: segfault at b836210 ip 00007f5c9d669660 sp
> 00007fff71636fb0 error 4 in libpcap.so.1.6.2[7f5c9d652000+90000]
> kernel: bro[4220]: segfault at 1371670 ip 00007f6d35299660 sp
> 00007fff4d896940 error 4 in libpcap.so.1.6.2[7f6d35282000+90000]
> kernel: bro[4465]: segfault at 1371670 ip 00007f202ff75660 sp
> 00007fff04fff8c0 error 4 in libpcap.so.1.6.2[7f202ff5e000+90000]
> kernel: bro[4710]: segfault at 1371670 ip 00007fd8bc794660 sp
> 00007fff33041db0 error 4 in libpcap.so.1.6.2[7fd8bc77d000+90000]
> kernel: bro[7873]: segfault at 1371670 ip 00007ffc910f2660 sp
> 00007fff1b5ba1b0 error 4 in libpcap.so.1.6.2[7ffc910db000+90000]
> kernel: bro[8065]: segfault at 1371670 ip 00007ffaa5c8f660 sp
> 00007fff3cdde390 error 4 in libpcap.so.1.6.2[7ffaa5c78000+90000]
> kernel: bro[8257]: segfault at 63745e0 ip 00007ff913224660 sp
> 00007fff297ca2f0 error 4 in libpcap.so.1.6.2[7ff91320d000+90000]
> kernel: bro[8446]: segfault at 1371670 ip 00007f0a1c567660 sp
> 00007fffdf059910 error 4 in libpcap.so.1.6.2[7f0a1c550000+90000]
> kernel: bro[8638]: segfault at 1371670 ip 00007f50982af660 sp
> 00007fff703caa30 error 4 in libpcap.so.1.6.2[7f5098298000+90000]
> kernel: bro[8835]: segfault at 1371670 ip 00007f1b4acd2660 sp
> 00007fffacc16630 error 4 in libpcap.so.1.6.2[7f1b4acbb000+90000]
> kernel: bro[9036]: segfault at 1 ip 00007f10df91b506 sp 00007fff5ac3e320
> error 4 in libpcap.so.1.6.2[7f10df904000+90000]
>
> Regards,
> Gary
>
>
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Get the latest Bro news here:
http://blog.bro.org/2015/02/bro-monthly-4.html
- The Bro Team
--
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris(a)bro.org
Hi all, I have followed the instructions contained in https://www.bro.org/sphinx-git/frameworks/logging.html#filtering to create a new field output. I ahve noticed that the fields you choose to include cannot be be re-ordered for display. For example, if I put the 'ts' field in the first position like this:
local filter: Log::Filter = [$name="orig-only", $path="origs", $include=set("id.orig_h","ts")];
the record displays with it in the first position. I assume this is because the include set is just a toggle that does not affect display order which is based on the field position in INFO. How to I re-order the the fields for display? Is this done ion the writer?
Thanks!
-- Eric --
I am running multiple bro workers in the same CPU, and would like to create different log and spool directories for each worker to avoid conflicts. Is there a worker specific meta variable I could use in the broctl.cfg file so that when broctl creates log and spool directories, it uses different file names for different workers?
Alternatively, is there a way for all of the workers to use the same log and spool directories without conflicts? Currently, if I do that, I see workers crashing.
Thanks,
Raj
Is there some kind of explanation page that describes the meaning of
all the different notifications that can be found in weird.log?
Specifically I want to learn what SYN_seq_jump means.
Thanks.
Bro seems to complete the configure step, but I'm seeing a couple 'not
found' and 'Failed' messages during when tests are run in the configure
step and am wondering if these are errors that can be ignored or if I
need to fix them first. This is on RHEL 6.6. I'm using the PF_RING
libpcap, and the system libpcap is not installed.
-- Performing Test ns_initparse_works_none - Failed
-- Performing Test res_mkquery_works_none - Failed
-- Looking for htonll - not found
-- Looking for include file sys/ethernet.h - not found
-- Looking for include file net/ethertypes.h - not found
-- Looking for include file os-proto.h - not found
-- Performing Test HAVE_READLINE_HISTORY_ENTRIES - Failed
-- Performing Test SIN_LEN - Failed
-- Looking for IPPROTO_IPV4 - not found
-- Performing Test DO_SOCK_DECL - Failed
-- Performing Test SYSLOG_INT - Failed
-- Looking for include file pcap-int.h - not found
-- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER - Failed
I ended up installing readline-devel (no readline.h or history.h) and
having to reinstall BIND (missing libresolv.a) at some point to resolve
a few other not found issues. I'm not sure why the build script isn't
finding pcap-int.h. I've manually added the pfring location of this file
to my path and library path, but it doesn't seem to be finding the
header file. I don't recall seeing some of these issues in previous
builds, so I'm wondering if there are some new dependencies or perhaps
if a recent update from RHEL 6.5 to 6.6 resulted in some weird issues.
Hello,
I’m having trouble getting Bro to run with PF_RING after updating from
RHEL 6.5 to RHEL 6.6. The PF_RING aware drivers (DNA/ZC etc) in the
“stable” 6.0.2 branch of PF_RING don’t appear to compile correctly on
RHEL 6.6, which necessitated a move to the latest 6.0.3 development
branch (rev.9009). This version compiles fine and I have it working with
both Suricata and nprobe, but can’t get it working with Bro. Bro doesn’t
seem to be able to open the dnacluster:21@0 etc interfaces with the new
version. Specifically bro segfaults when calling the PF_RING version of
libpcap.so.1.6.2, which is a new version of libpcap in 6.0.3. Previously
libpcap was 1.1.1. I have also tried to compile PF_RING 6.0.2 stable on
RHEL 6.6 with the newer drivers, but the version of pfdnacluster_master
that ships with PF_RING 6.0.2 stable (that uses the older libpcap) will
silently crash on RHEL 6.6. I’ve attached the output of a broctl diag to
this email. Typically when I've seen an error where bro can’t listen on
dnacluster in the past it has been due to the interface already being in
use, bro not being able to find pfring, or not compiling against the
correct libpcap. I’ve verified this isn’t the case to the best of my
ability (no other libpcap on the system, fresh dna driver load and
instance of pfdnaclster_master, pfring in $PATH etc). I’ve also verified
that I can see packets on the dnacluster interfaces by testing with
pfcount. It looks like perhaps bro doesn’t like the new version of
libpcap. I have tried compiling and running bro with debugging enabled,
but bro seems to crash on the workers without generating anything in the
various debug.log files. Any thoughts?
Here are example error messages from /var/log/messages:
kernel: bro[1653]: segfault at 1371670 ip 00007f5a9e7f0660 sp
00007fff8714b300 error 4 in libpcap.so.1.6.2[7f5a9e7d9000+90000]
kernel: bro[1643]: segfault at 1371670 ip 00007ff16d19b660 sp
00007fff81eea9a0 error 4 in libpcap.so.1.6.2[7ff16d184000+90000]
kernel: bro[1656]: segfault at 1371670 ip 00007fcf3c6cf660 sp
00007fff3e1789b0 error 4 in libpcap.so.1.6.2[7fcf3c6b8000+90000]
kernel: bro[1644]: segfault at 1 ip 00007f5932268506 sp 00007fffcd3ea0b0
error 4 in libpcap.so.1.6.2[7f5932251000+90000]
kernel: bro[1642]: segfault at 1 ip 00007ff3d1c83506 sp 00007fff468f4930
error 4 in libpcap.so.1.6.2[7ff3d1c6c000+90000]
kernel: bro[1658]: segfault at 1371670 ip 00007f53584f2660 sp
00007ffff89515f0 error 4 in libpcap.so.1.6.2[7f53584db000+90000]
kernel: bro[1652]: segfault at 1371670 ip 00007f158fbc7660 sp
00007fff14aa7e20 error 4 in libpcap.so.1.6.2[7f158fbb0000+90000]
kernel: bro[1660]: segfault at 1371670 ip 00007f2fee8e7660 sp
00007ffff9dacaf0 error 4 in libpcap.so.1.6.2[7f2fee8d0000+90000]
kernel: bro[1641]: segfault at 1 ip 00007f32fbc48506 sp 00007fff7d9b2a00
error 4 in libpcap.so.1.6.2[7f32fbc31000+90000]
kernel: bro[1662]: segfault at b836210 ip 00007f5c9d669660 sp
00007fff71636fb0 error 4 in libpcap.so.1.6.2[7f5c9d652000+90000]
kernel: bro[4220]: segfault at 1371670 ip 00007f6d35299660 sp
00007fff4d896940 error 4 in libpcap.so.1.6.2[7f6d35282000+90000]
kernel: bro[4465]: segfault at 1371670 ip 00007f202ff75660 sp
00007fff04fff8c0 error 4 in libpcap.so.1.6.2[7f202ff5e000+90000]
kernel: bro[4710]: segfault at 1371670 ip 00007fd8bc794660 sp
00007fff33041db0 error 4 in libpcap.so.1.6.2[7fd8bc77d000+90000]
kernel: bro[7873]: segfault at 1371670 ip 00007ffc910f2660 sp
00007fff1b5ba1b0 error 4 in libpcap.so.1.6.2[7ffc910db000+90000]
kernel: bro[8065]: segfault at 1371670 ip 00007ffaa5c8f660 sp
00007fff3cdde390 error 4 in libpcap.so.1.6.2[7ffaa5c78000+90000]
kernel: bro[8257]: segfault at 63745e0 ip 00007ff913224660 sp
00007fff297ca2f0 error 4 in libpcap.so.1.6.2[7ff91320d000+90000]
kernel: bro[8446]: segfault at 1371670 ip 00007f0a1c567660 sp
00007fffdf059910 error 4 in libpcap.so.1.6.2[7f0a1c550000+90000]
kernel: bro[8638]: segfault at 1371670 ip 00007f50982af660 sp
00007fff703caa30 error 4 in libpcap.so.1.6.2[7f5098298000+90000]
kernel: bro[8835]: segfault at 1371670 ip 00007f1b4acd2660 sp
00007fffacc16630 error 4 in libpcap.so.1.6.2[7f1b4acbb000+90000]
kernel: bro[9036]: segfault at 1 ip 00007f10df91b506 sp 00007fff5ac3e320
error 4 in libpcap.so.1.6.2[7f10df904000+90000]
Regards,
Gary
Is there a way to add Worker source to all bro logs?
I was able to do this with the conn.log, but if i try others, bad things
happen. Can someone help?
redef record Conn::Info += {
peer_descr: string &default="unknown" &log;
};
event connection_state_remove(c: connection){
c$conn$peer_descr = peer_description;
}
--
Regards,
Matt Clemons
Bro Community,
BroCon '15 registration is now open. You may register here:
https://www.regonline.com/brocon2015
We have reserved a block of hotel rooms for the event. For more
information about hotel accommodations and other updates, see the event
page:
https://www.bro.org/community/brocon2015.html
Thanks for your continued support, see you in August!
Regards,
The Bro Team
------
Jeannette M. Dopheide
Bro Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
I've been tinkering with the scan detection in Bro (2.3.2) and I was
wondering if this was the most effective method for whitelisting hosts:
const scanners_whitelist {
x.x.x.x
};
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist)
)
{
print n$src;
delete n$actions[Notice::ACTION_LOG];
};
}
Please let me know if there's a better/more efficient method. Thanks!
Mike