Hello,
After any build of Bro with Broctl 1.7, I’m experiencing the below error when broctl/scripts/check-config is run…
/opt/bro/share/broctl/scripts/check-config: line 50: 4463 Segmentation fault “${bro}” $check_option “$@”
Anyone encountered this before? Cannot bypass doing broctl check – broctl start results in failed/crashed processes.
This is on RHEL7.5, after building Bro-2.5.5 (I’ve tried other minor versions since 2.5 – same issue).
Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 works fine.
Any help would be greatly appreciated.
V/R
Sean Hutchison
check runs bro with the current configuration to see if it can start, so that's bro segfaulting there.. that's why start also fails..
What do you get if you try each of the following?
bro -v
bro -NN # just see if this runs or crashes
bro -b -i lo
bro -i lo
bro -i lo local
You can hit control-c if any of those start successfully to get your prompt back.
I'm not aware of any issues like this, so it could be something with your configuration.
Do you have a customized local.bro at all?
Are you building bro against a particular libpcap or malloc implementation?
What does ldd /opt/bro/bin/bro output?
# bro -v
bro version 2.5.5
# bro -NN
Segmentation fault
# bro -b -i lo
listening on lo
^C1538653437.070325 received termination signal
1538653437.070325 208 packets received on interface lo, 0 dropped
# bro -i lo
Segmentation fault
# bro -i lo local
Segmentation fault
# ldd /opt/bro/bin/bro
linux-vdso.so.1 => (0x00007fff99dfd000)
libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000)
libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000)
libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000)
libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 (0x00007f148dd9b000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000)
libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000)
libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f148cb42000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f148c423000)
/lib64/ld-linux-x86-64.so.2 (0x00007f148f102000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f148c215000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f148c011000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000)
No custom scripts being loaded via local.bro
Nothing in particular - did yum install/update of RedHat-based dependencies according to https://www.bro.org/sphinx/install/install.html#required-dependencies
Although I did build it against pfring first, using yum package from ntop repo - same issue, have since removed that and did regular build
Only configure switch was --prefix.
V/R
Sean
Hi,
Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)?
They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead).
If that is the case - either recompiling or removing the binary plugins will fix this.
Johanna
Yes, and I just removed the Bro Kafka plugin and no more error!
Thank you so much.
V/R
Sean
If you don’t mind, can you share the steps you took to build and install the plug-in? What version?
Jon
Ya, first install librdkafka (there’s probably a newer version – make sure it supports your Kafka broker version) …
curl --silent -L -k https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz
cd librdkafka-0.9.5
./configure
make
make install
Then get bro-plugins repo and build kafka plugin against version of Bro you’re using by pointing it to where you extracted bro source…
git clone https://github.com/bro/bro-plugins.git
cd bro-plugins/kafka/
./configure --bro-dist=/path/to/bro-2.#.#
make && make install
Confirm with…
bro -N Bro::Kafka
See https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html for example configurations.
V/R
Sean
Sounds like you are looking at a very old version of the plugin, since bro/bro-plugins has been completely deprecated at this point. Can you use bro-pkg to install apache/metron-bro-plugin-kafka? It should be a bit more robust and up to date. Let me know if you have any issues when taking this approach.
Jon
Well, we don’t really have a need to use the bro kafka plugin currently – it was just for a bit of testing previously – but I can use bro-pkg in the future or for other plugins/scripts.
V/R
Sean
Gotcha, yeah please do as that is the most updated code and includes some baseline btests (with more coming in the near future). Feel free to reach out to me via the list if you have any questions/concerns/issues on it - thanks!
Jon