segmentation fault by adding an analyzer to port 80

When I force the anaylzer to be activated by modifying the, everything works well. But when I try to activate it by using a Bro script, like this:

global foo_ports: set[port] = { 80/tcp } &redef;
redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };

a segmentation fault appear at the end of the script.

There is the command I use to execute it (note that the browse.pcap file came from a Bro workshop):

bro -b -r browse.pcap my_proto.bro

Here’s the complete code of the analyzer and the Bro script:


Additional information from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x000000000082b156 in TCP_Analyzer::EndpointEOF (this=0xed24b0,
endp=0xed2920) at /home/easselin/bro/src/
#2 0x000000000082f8b5 in TCP_Reassembler::CheckEOF (this=0xed2920) at
#3 0x000000000082d4db in TCP_Endpoint::CheckEOF (this=0xed2570) at
#4 0x0000000000828e7f in TCP_Analyzer::DeliverPacket (this=0xed24b0,
len=0, data=0xec1a06 "\r\n", is_orig=true, seq=-1, ip=0x7fffffffe310,
caplen=0) at /home/easselin/bro/src/
#5 0x0000000000686c2f in Analyzer::NextPacket (this=0xed24b0, len=20,
data=0xec19f2 "\300\203", is_orig=true, seq=-1, ip=0x7fffffffe310,
caplen=20) at /home/easselin/bro/src/
#6 0x00000000006b3733 in Connection::NextPacket (this=0xed23b0,
t=1320329772.929872, is_orig=1, ip=0x7fffffffe310, len=20, caplen=20,
data=@0x7fffffffe088, record_packet=@0x7fffffffe084,
record_content=@0x7fffffffe080, hdr=0xebdc90, pkt=0xec19d0 "RT",
hdr_size=14) at /home/easselin/bro/src/
#7 0x0000000000805a09 in NetSessions::DoNextPacket (this=0xebe740,
t=1320329772.929872, hdr=0xebdc90, ip_hdr=0x7fffffffe310, pkt=0xec19d0
"RT", hdr_size=14, encapsulation=0x0) at
#8 0x0000000000804011 in NetSessions::NextPacket (this=0xebe740,
t=1320329772.929872, hdr=0xebdc90, pkt=0xec19d0 "RT", hdr_size=14,
pkt_elem=0x0) at /home/easselin/bro/src/
#9 0x0000000000803d56 in NetSessions::DispatchPacket (this=0xebe740,
t=1320329772.929872, hdr=0xebdc90, pkt=0xec19d0 "RT", hdr_size=14,
src_ps=0xebdc50, pkt_elem=0x0) at /home/easselin/bro/src/
#10 0x000000000079f00c in net_packet_dispatch (t=1320329772.929872,
hdr=0xebdc90, pkt=0xec19d0 "RT", hdr_size=14, src_ps=0xebdc50,
pkt_elem=0x0) at /home/easselin/bro/src/
#11 0x000000000079f25f in net_packet_arrival (t=1320329772.929872,
hdr=0xebdc90, pkt=0xec19d0 "RT", hdr_size=14, src_ps=0xebdc50) at
#12 0x00000000007b6ea1 in PktSrc::Process (this=0xebdc50) at
#13 0x000000000079f397 in net_run () at /home/easselin/bro/src/
#14 0x000000000067df27 in main (argc=5, argv=0x7fffffffebd8) at

I don't think there's a way to attach packet-based analyzers to TCP connections like that, so manually adding it in via TCP_Analyzer::AddChildPacketAnalyzer() for the ports you want may be the right thing.

But if what you really wanted is a stream-based analyzer (it only sees the content after TCP reassembly), you can derive from TCP_ApplicationAnalyzer instead of Analyzer and override DeliverStream() instead of DeliverPacket(). Then the dpd_config redef you had should work.

- Jon

I try the same code but with the use of a signature to trigger my
analyzer which worked, but again at the end I have the same
"segmentation fault". If I derive the analyzer with
TCP_ApplicationAnalyzer instead of just Analyzer and still use
DeliverPacket(), the "seg fault" disappear.

But in fact, I don't care about TCP connection stream, I just want the
analyzer to be triggered regardless of the transport layer... and
process the packet.

I think I've found why it doesn't work. When the inital tree of the DPD
is build, the transport layer is hardcoded within a switch so further
analyzer started by it's corresponding PIA (for UDP and TCP only) should
derive from the corresponding class to work properly. So an analyzer
itself can't act regardless of the transport layer.

In this case, for an analyzer to support both transport layer protocols,
it should derive TCP_ApplicationAnalyzer class and "extract or compute"
packet like the DNS Analyzer does.