Core dump on a new Bro Cluster

Bro Community,

We have begun looking at the Bro NIDS here at MUSC so I have been working on setting up a cluster on some new security infrastructure equipment. We’re running on RedHat Enterprise Linux 5.4, 64-bit with Bro 1.5.1 (latest current release on the download page).

I compiled and setup the cluster and then started it up with “broctl start”. My workers fired up and began collecting data from our network TAP. However, the worker with the TAP (worker-4) continues to “crash” repeatedly. If I issue a “broctl diag” it reveals a core dump.

I ran a gdb on the core file that was produced and got the same results as the diag output below.

Any ideas?

[BroControl] > status

Name Type Host Status Pid Peers Started

worker-4 worker zoyd4 crashed

manager manager bombe4 running 3693 4 26 Jan 15:35:54

proxy-1 proxy bombe4 running 3729 4 26 Jan 15:35:57

worker-1 worker sigma4 running 10799 2 26 Jan 15:35:59

worker-2 worker forensics4 running 21174 2 26 Jan 15:35:59

worker-3 worker reaper4 running 8954 2 26 Jan 15:35:59

[BroControl] > diag worker-4


==== stderr.log

pcap bufsize = 8256

listening on eth1

/var/local/bro/share/broctl/scripts/run-bro: line 73: 2837 Segmentation fault (core dumped) nohup $tmpbro $@

==== stdout.log

==== .status

RUNNING [net_run]

==== No prof.log.


Core was generated by `/var/local/bro/spool/tmp/bro -i eth1 -U .status -p broctl -p cluster -p local -’.

Program terminated with signal 11, Segmentation fault.

[New process 2837]

#0 FragReassembler::DeleteTimer (this=0x23219450) at Frag.h:62

62 void ClearReassembler() { f = 0; }


Scott Powell

Unix Systems Engineer / Information Security Analyst

Office of the CIO - Information Systems (OCIO-IS)

Medical University of South Carolina