Running Bro on Alpine

Hello,

I’m trying to compile and run Bro on Alpine Linux and I’m having an issue with broctl crashing.

Out of the box running ./configure and make using the bro 2.5.5 source I get a bunch of errors like that “‘u_char’ does not name a type” [1].

I found this project for compiling Bro on Alpine [2]. The build-bro.sh. script includes two patch files and a cmake file [3]. Manually applying those three files gets Bro to the point where it compiles successfully.

Bro will run fine from the command line, but running broctl it crashes almost immediately [4]. Broctl reports Bro as crashed, but it briefly produces all the log files I’d expect (conn, dns, etc). There’s nothing useful in the stdout, stderr or reporter logs.

I built bro with --enable-debug, I’ve got gdb installed, and I set “ulimit -c unlimited” but I don’t see a crash dump anywhere.

In the absence of any error messages I’m unsure on how to proceed. Can anyone recommend next steps?

thanks,
Mike

[1] see compile error.txt (attached)
[2] https://github.com/danielguerra69/docker-bro-1
[3] https://github.com/danielguerra69/docker-bro-1/tree/master/source
[4] see broctl crash.txt (attached)

broctl crash.txt (27.9 KB)

compile error.txt (13.7 KB)

Check out

For alpine linux you need some patches

https://github.com/blacktop/docker-bro/tree/master/2.5

Regards,

Daniel

Daniel,

Thanks for the help. I rebuilt bro with those patches (although they look identical to the ones I referenced earlier), making sure to grab all the dependencies listed in the docker file.

I’m still seeing broctl report that bro crashed. However, what I failed to notice before is that there are actually several bro processes running and bro is still producing logs even when broctl report it has crashed.

I suppose I could roll my own scripts to start and stop bro, but I’d prefer to actually get broctl working on alpine. Any ideas as to why it’s reporting inaccurate information?

thanks,
Mike

First, I suggest running "broctl stop". Next, make sure there
are no more bro processes running on your machine by
running "broctl ps.bro". This command shows all bro processes
running, whereas "broctl status" only shows you the ones that
broctl knows about. It is important to make sure there are
no bro processes running before attempting to start bro
using broctl.

-Daniel

Just tried it, for now I can only confirm your problem

/tmp/bro # /usr/local/bro/bin/broctl start
starting bro …
(bro still initializing)
/tmp/bro # /usr/local/bro/bin/broctl status
Name Type Host Status Pid Started
bro standalone localhost crashed

this might help , dmesg output

device eth0 entered promiscuous mode
traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb sp:7f92f1a40880 error:0
in ld-musl-x86_64.so.1[7f92f1848000+8d000]
bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp 00007ffd5d7bbaa8 error 15
bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp 00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000]

and the ps aux output

364 root 0:00 {run-bro} /bin/bash /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl
370 root 0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
372 root 0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

Thanks Daniel T and Daniel G.

I verified that no Bro processes were running before running broctl, but still I’m seeing the same behavior as Daniel G.

Please let me know if I can assist any further with debugging.

cheers,
Mike