broclient and NOTICE()

Zeek
1

I'm having trouble feeding events to bro v1.4 using broclient. I built
broclient using the source in aux/broccoli/contrib, and configured bro
to listen for remote connections. This setup will sometime crash with
the run-time error messages like this:

1234849021.842185 run-time error: peer 10000 does not exist
1234849021.842185 /usr/local/bro/share/bro/notice.bro, line 261 (n$src_peer): internal error: field value missing

I dug a little in the source, and it seems like n$src_peer should be set
automatically by get_event_peer(), and internal function in the event
engine. Before digging deeper in the bro source, I thought I'd ask if
anyone has seen this before, or if I'm doing something obviously wrong.

Here's the relevant bro code that causes the error:

## Track ssh logins using info from syslog
@load listen-clear
@load remote

redef listen_if_clear = 127.0.0.1;
redef Remote::destinations += {
    ["syslog"] = [$host = 127.0.0.1, $events = /.*/, $connect=F],
};

redef enum Notice += { NewSSHConn };
global ssh_conns: set[string, addr, string, string] &persistent;

redef notice_policy += {
        # Email when a user logs in from a new client or using
        # a different authenticator
        [$pred(n: notice_info) =
                {
                return n$note == NewSSHConn;
                },
         $result = NOTICE_EMAIL,
         $priority = 1],
};

event ssh_login(server:string, authtype:string, user:string, client:addr) {
    if ( [server, client, user, authtype] !in ssh_conns ) {
        add ssh_conns[server, client, user, authtype];
        NOTICE([$note=NewSSHConn, $src=client,
                $msg=fmt("New SSH connection %s->%s:%s@%s",
                client, user, authtype, server)]);
    };
};

I can trigger the error with the following command:

2

Thanks for reporting this, there's already a ticket for it:
http://tracker.icir.org/bro/ticket/65

I've just added a patch to the ticket, which I hope will fix the
crash. It will however still report the run-time error. The
underlying problem is that the function get_event_peer() tries to
get information about the peer it received the event from, the
connection to that peer however has already terminated so that the
information isn't there anymore. That's a race-condition which is
generally hard to avoid as Bro's event processing is decoupled from
when an event is raised/received.

One way to work-around such race conditions is sending explicit ack
events that only terminate a connection once received, making sure
that all important events have already been processed. bro-client
however can't do that.

Let me know if the patch works for you (it's against trunk but
should also work with 1.4).

Robin

3

Robin Sommer wrote:

4

Thanks for testing, I've schedulued it for integration into the next
relase.

Robin