broctl startup error

Zeek
1

Hi,
I just upgraded my BRO cluster machines from ubuntu 14.02 to 16.04. I just installed the latest version of BRO on the manager. All the machines in the cluster return this:

$ bro --version

bro version 2.5-294

But when I try to run broctl on the manager to start it up again, I get this error:

$ sudo broctl

Warning: the SitePolicyStandalone option is deprecated (use SitePolicyScripts instead).

Welcome to BroControl 1.7-7

Type “help” for help.

[BroControl] > check

manager scripts failed.

/bin/sh: 1: Syntax error: “(” unexpected

proxy-1 scripts failed.

/bin/sh: 1: Syntax error: “(” unexpected

proxy-2 scripts failed.

/bin/sh: 1: Syntax error: "(“ unexpected

.

.

.More of the same type of error

.

.

.

worker-3-16 scripts failed.

/bin/sh: 1: Syntax error: “(” unexpected

worker-3-17 scripts failed.

/bin/sh: 1: Syntax error: “(” unexpected

worker-3-18 scripts failed.

/bin/sh: 1: Syntax error: “(” unexpected

Any suggestions for where to find the file/script with the problem?

Thanks for your help,

-Brian

2

Well, that's a new one.. I wonder if you have a '(' in one of your settings..

Does

broctl config | grep '('

or

grep '^[^#].*(' -r /usr/local/bro/etc/

return anything?

I was able to reproduce a similar error by adding

    env_vars=foo=(bar

to the config.

3

That helped! In broctl.cfg I had to fix this line. The single quotes were missing.

BroArgs = -f '(net 128.252.0.0/16 or net 65.254.96.0/19)’

But now when I start up the cluster (and it does start up which is good) the workers are all running at 100% which is not normal on these boxes. Should be around 50% That seems like pf_ring is not running, but I keep checking and pf_ring is installed and loaded.

Hyperthreading is still disabled. That didn’t change after the upgrade.

What could have changed after the upgrade to cause the cpus to run at 100%? I still think there is something wrong with pf_ring, but I’m not seeing it. I just built another BRO cluster for our research network on ubuntu 14.04 servers and got pf_ring and bro running there no problem.

Thanks for your help,

-Brian

4

Yes.. it's likely that bro is not using pf_ring properly.

What does this output?

    broctl exec "ldd `which bro`|grep pcap"

You should see lines like

    libpcap.so.1 => /opt/pfring/lib/libpcap.so.1

and not the normal libpcap in /usr/lib

If you look at your conn.log you also may see the same exact connection logged once for each worker that you are running.