Bro Community,
We have begun looking at the Bro NIDS here at MUSC so I have been working on setting up a cluster on some new security infrastructure equipment. We’re running on RedHat Enterprise Linux 5.4, 64-bit with Bro 1.5.1 (latest current release on the bro-ids.org download page).
I compiled and setup the cluster and then started it up with “broctl start”. My workers fired up and began collecting data from our network TAP. However, the worker with the TAP (worker-4) continues to “crash” repeatedly. If I issue a “broctl diag” it reveals a core dump.
I ran a gdb on the core file that was produced and got the same results as the diag output below.
Any ideas?
[BroControl] > status
Name Type Host Status Pid Peers Started
worker-4 worker zoyd4 crashed
manager manager bombe4 running 3693 4 26 Jan 15:35:54
proxy-1 proxy bombe4 running 3729 4 26 Jan 15:35:57
worker-1 worker sigma4 running 10799 2 26 Jan 15:35:59
worker-2 worker forensics4 running 21174 2 26 Jan 15:35:59
worker-3 worker reaper4 running 8954 2 26 Jan 15:35:59
[BroControl] > diag worker-4
[worker-4]
==== stderr.log
pcap bufsize = 8256
listening on eth1
/var/local/bro/share/broctl/scripts/run-bro: line 73: 2837 Segmentation fault (core dumped) nohup $tmpbro $@
==== stdout.log
==== .status
RUNNING [net_run]
==== No prof.log.
core.2837
Core was generated by `/var/local/bro/spool/tmp/bro -i eth1 -U .status -p broctl -p cluster -p local -’.
Program terminated with signal 11, Segmentation fault.
[New process 2837]
#0 FragReassembler::DeleteTimer (this=0x23219450) at Frag.h:62
62 void ClearReassembler() { f = 0; }
Thanks,
Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm@musc.edu