Vlad,
It crashed again this morning. The crash on 3/29 was at 6:29 local time, and the crash this morning was at 6:27 local time. I’m not aware of anything that happens here around that time on a regular basis.
The diag looks pretty much the same:
[BroControl] > diag
[bro]
Bro 2.3-633
Linux 3.2.0-4-686-pae
No gdb installed.
==== No reporter.log
==== stderr.log
listening on eth1, capture length 8192 bytes
bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data’ failed.
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 24675 Aborted (core dumped) nohup “$mybro” “$@”
==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
==== .cmdline
-i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=
==== .status
RUNNING [net_run]
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
[BroControl] >
Here is the ssh.log, with the local addresses obfuscated:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#open 2015-03-31-06-12-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port count bool enum string string string string string string string string string string string double double
1427796767.723015 CekWob4QEqOlP0oqp8 115.239.230.133 57922 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796768.761095 Ctm96W1UH7UUMJkEhk 115.239.230.133 42380 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796773.022767 CBJCTy0vfPn8efye4 115.239.230.133 45326 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427796998.016420 CPC3hO10j08ML06CRj 115.231.218.130 56223 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss - - - - - -
1427796998.641613 CMUo9V3XqIY3J45Arl 115.231.218.130 51297 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797000.236567 C4F5Ca2TZOVL55re0i 115.231.218.130 60792 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797056.937244 CeElA5RdppTwHbR6b 183.136.216.4 34758 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797056.134247 CDKUcz2vwqwCQ6FMP 183.136.216.4 57005 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797314.991566 CPkA7E3jOaA4O3n6Zj 115.239.248.238 46652 10.10.20.217 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797315.312565 CF4kqy4fSKVNiRwHKa 115.239.248.238 34778 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797316.044014 CfKqmt3d5HTfWS7xyc 115.239.248.238 50058 10.10.24.233 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
1427797665.315966 CUdfQY3IPL1xx4UtY7 115.231.218.131 57464 10.10.20.194 22 2 - - SSH-2.0-PUTTY SSH-2.0-2.0.12 3des-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss 92:fe:da:65:a4:2e:ae:30:a4:26:a9:62:56:35:30:37 - - - - -
I can only get the core files down to about 15 meg, so they won’t attach to the ticket. Should I try sending it directly to your gmail account, so the whole list doesn’t get it?
Ted