Bro Crashing
Sniffty Dugen
error in /opt/bro/share/bro/intel/__load__.bro, line 5: "redef" used but not previously defined (Intel::read_files)
internal warning in /opt/bro/share/bro/intel/__load__.bro, line 7: Can't document redef of Intel::read_files, identifier lookup failed
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost crashed
proxy proxy localhost stopped
libe-console-eth2-1 worker localhost stopped
This is a default config for Bro, it ran great for over a month but now I get a crash report every 5 minutes. The above is the only thing referenced in the stderr.log file
I did patch the machine with the new elsa packages this morning.
Doug Burks
What is the output of the following?
cat /opt/bro/share/bro/intel/__load__.bro
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Sniffty Dugen
This is the output of cat /opt/bro/share/bro/intel/__load__.bro
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
redef Intel::read_files += {
"/opt/bro/share/bro/intel/intel.dat"
};
Doug Burks
sudo nsm_sensor_ps-restart --only-bro
Sniffty Dugen
Doug
It crashes immediately
sudo nsm_sensor_ps-restart --only-bro
Restarting: Bro
libe-console-eth2-1 not running
proxy not running
manager not running (was crashed)
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
starting manager ...
manager terminated immediately after starting; check output with "diag"
Restarting: libe-console-eth2
sudo broctl diag
[manager]
Bro 2.4.1
Linux 3.19.0-59-generic
==== No reporter.log
==== stderr.log
error in /opt/bro/share/bro/intel/__load__.bro, line 5: "redef" used but not previously defined (Intel::read_files)
internal warning in /opt/bro/share/bro/intel/__load__.bro, line 7: Can't document redef of Intel::read_files, identifier lookup failed
==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
==== .cmdline
-U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
==== .env_vars
PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
BROPATH=/nsm/bro/spool/installed-scripts-do-not-touch/site::/nsm/bro/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site
CLUSTER_NODE=manager
==== .status
TERMINATED [atexit]
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
[proxy]
Bro 2.4.1
Linux 3.19.0-59-generic
==== No reporter.log
==== No stderr.log
==== No stdout.log
==== No .cmdline
==== No .env_vars
==== No .status
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
[libe-console-eth2-1]
Bro 2.4.1
Linux 3.19.0-59-generic
==== No reporter.log
==== No stderr.log
==== No stdout.log
==== No .cmdline
==== No .env_vars
==== No .status
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
Doug Burks
ls -alh /opt/bro/share/bro/intel/intel.dat
What happens if you comment out the "@load intel" line in
/opt/bro/share/bro/site/local.bro and then run "sudo
nsm_sensor_ps-restart --only-bro"?
Sniffty Dugen
ls -alh /opt/bro/share/bro/intel/intel.dat
-rw-r--r-- 1 root root 221 May 12 18:28 /opt/bro/share/bro/intel/intel.dat
its the original file, everything is commented out. I was in there trouble shooting it by adding/removing a line etc. Didn't make a difference.
Commenting out the @load intel worked, but I was hoping to use that once I learn Bro better.
Doug Burks
Can you attach a copy of that file?
Doug Burks
If so, you'll want to run dos2unix to fix and then restart Bro. You
may need to do that for any other Bro files you modified on Windows as
well.
Sniffty Dugen
I opened it in notepad after I copied it over. Sorry for that. I copied over a different local.bro from another sensor. Still crashed.
Doug Burks
test VM. Have you modified any other files in Windows? Have you made
any other changes to your config? Have you gone back to a default
intel.dat?
I'd recommend spinning up a fresh installation in a VM and using it to
compare side-by-side for changes.
Sniffty Dugen
Interesting, no, I havent changed anything on this machine for a few weeks. The only thing I did this morning was patch it. Nothing is ever edited in Windows.
Ill try and copy all new files like you suggest.
Doug Burks
deployment? Did you update the master server before updating the
sensors? Are the master server and all sensors all running the latest
14.04 version?
Sniffty Dugen
Doug,
I have a vm SO machine I use as my Linux desktop and to connect to this machine. I used the files from it and I am back in business.
Interesting is that this machine hasnt been touched in two weeks aside from rule updates happening. Either way, its something I did. Thank you for a great OS and all your help.
Dan