Nessus scans cause bro to crash

Description

Bro continues to crash when Nessus scans it....not sure what next to provide. I can reproduce this since 2.5.0

Bro 2.5.4
Linux 4.10.0-38-generic

Bro plugins: (none found)

==== No reporter.log

==== stderr.log
internal warning in /media/data/spool/installed-scripts-do-not-touch/site/smtp-file-extract.bro, line 1: Discarded extraneous Broxygen comment: check link in mail_links internal warning in /media/data/spool/installed-scripts-do-not-touch/site/smtp-file-extract.bro, line 1: Discarded extraneous Broxygen comment: for
internal warning in /media/data/spool/installed-scripts-do-not-touch/site/smtp-file-extract.bro, line 1: Discarded extraneous Broxygen comment: print fmt ("log_mine Log_mime: %s", rec);
internal warning in /media/data/spool/installed-scripts-do-not-touch/site/smtp-file-extract.bro, line 1: Discarded extraneous Broxygen comment: aashish: need to port to file analysis framework listening on eno3

1530202014.050995 processing suspended
1530202014.050995 processing continued
1530270781.678922 received termination signal
1530270781.678922 82902364 packets received on interface eno3, 10642241 dropped

==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited

==== .cmdline
-i eno3 -U .status -p broctl -p broctl-live -p local -p worker-4-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto --no-checksums --filter not ip6 and not host 10.0.5.119

==== .env_vars
PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BROPATH=/media/data/spool/installed-scripts-do-not-touch/site::/media/data/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site
CLUSTER_NODE=worker-4-4

==== .status
TERMINATED [atexit]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log

Environment

Linux

Activity

Show:
Johanna Amann
June 30, 2018, 1:41 AM

Interesting.

The best thing would be a pcap, if that can reproduce the crash. The next best thing would be a backtrace of Bro - I am not sure why you don't get one, but perhaps installing gdb would work?

If that does not work - providing the exact steps that you take to get it to crash (including the exact way in which you start nessus) might also help.

jamesl
July 3, 2018, 2:53 AM

Listening ports:

tcp 0 0 0.0.0.0:47761 0.0.0.0:* LISTEN 26671/bro
tcp 0 0 0.0.0.0:47762 0.0.0.0:* LISTEN 26861/bro
tcp 0 0 0.0.0.0:47763 0.0.0.0:* LISTEN 27047/bro
tcp 0 0 0.0.0.0:47764 0.0.0.0:* LISTEN 29210/bro
tcp 0 0 0.0.0.0:47765 0.0.0.0:* LISTEN 29108/bro
tcp 0 0 0.0.0.0:47766 0.0.0.0:* LISTEN 29110/bro
tcp 0 0 0.0.0.0:47767 0.0.0.0:* LISTEN 29211/bro
tcp 0 0 0.0.0.0:47768 0.0.0.0:* LISTEN 29111/bro
tcp 0 0 0.0.0.0:47769 0.0.0.0:* LISTEN 29025/bro
tcp 0 0 0.0.0.0:47770 0.0.0.0:* LISTEN 29033/bro
tcp 0 0 0.0.0.0:47771 0.0.0.0:* LISTEN 29112/bro
tcp 0 0 0.0.0.0:47772 0.0.0.0:* LISTEN 29209/bro
tcp 0 0 0.0.0.0:47773 0.0.0.0:* LISTEN 29109/bro
tcp 0 0 0.0.0.0:47774 0.0.0.0:* LISTEN 29113/bro
tcp 0 0 0.0.0.0:47775 0.0.0.0:* LISTEN 29212/bro
tcp6 0 0 :::47761 :::* LISTEN 26671/bro
tcp6 0 0 :::47762 :::* LISTEN 26861/bro
tcp6 0 0 :::47763 :::* LISTEN 27047/bro
tcp6 0 0 :::47764 :::* LISTEN 29210/bro
tcp6 0 0 :::47765 :::* LISTEN 29108/bro
tcp6 0 0 :::47766 :::* LISTEN 29110/bro
tcp6 0 0 :::47767 :::* LISTEN 29211/bro
tcp6 0 0 :::47768 :::* LISTEN 29111/bro
tcp6 0 0 :::47769 :::* LISTEN 29025/bro
tcp6 0 0 :::47770 :::* LISTEN 29033/bro
tcp6 0 0 :::47771 :::* LISTEN 29112/bro
tcp6 0 0 :::47772 :::* LISTEN 29209/bro
tcp6 0 0 :::47773 :::* LISTEN 29109/bro
tcp6 0 0 :::47774 :::* LISTEN 29113/bro
tcp6 0 0 :::47775 :::* LISTEN 29212/bro

quick fix would be to have an option to not have bro listening on all interfaces. I'll get the pcap to you Johanna over private channel.

Johanna Amann
July 3, 2018, 3:22 AM

Oh, sorry - I did not understand that you have nessus scanning the Bro machine; I thought you mean when Bro observes nessus traffic.

Yup, the Bro ports should be firewalled from the rest of your network and only accessible to other machines using Bro. If you have a single-machine setup you should be able to use redef Communication::listen_interface = 127.0.0.1; in local.bro (for Bro 2.5)

This is basically a duplicate of BIT-1792.

Since the old communication interface is more or less going away with 2.6 I don't think we will do anything about the fact that you can crash it if random data is sent to it.

jamesl
July 3, 2018, 3:26 AM

Brilliant...we can close this out then thank you!

Aashish Sharma
July 3, 2018, 7:37 AM

[ I see the ticket's closed ]

While I agree that old communication interface is going away and this sits a low
priority also due to architectural issues and deployment issues (bro behind
firewall and bro on non-routable networks etc).

I think being able to crash with a scan is still concerning!

On Mon, Jul 02, 2018 at 05:22:51PM +0000, Johanna Amann (JIRA) wrote:

Solved

Assignee

Unassigned

Reporter

jamesl

Labels

External issue ID

None

Components

Affects versions

Priority

High