[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Zeek] tcmalloc large alloc
From: "Rogers, Zach" <Zach.Rogers () oregonstate ! edu>
Date: 2019-05-18 23:34:05
Message-ID: 94FDEE2E-1311-4896-8A98-FCB56980F415 () oregonstate ! edu
[Download RAW message or body]
[Attachment #2 (text/plain)]
Thanks Justin! I will see if we can do some testing on our end – If so I will \
report back.
--
Zach Rogers
Lead Security Analyst
Security and Network Monitoring
Oregon Research & Teaching Security Operations Center (ORTSOC)
Phone: 541.737.7723
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52
From: Justin Azoff <justin@corelight.com>
Date: Saturday, May 18, 2019 at 4:32 PM
To: "Rogers, Zach" <Zach.Rogers@oregonstate.edu>
Cc: Seth Hall <seth@corelight.com>, "Nead-Work, Alexander" \
<Alexander.Nead-Work@oregonstate.edu>, "zeek@zeek.org" \
<zeek@zeek.org>
Subject: Re: [Zeek] tcmalloc large alloc
There's an issue here: https://github.com/zeek/zeek/issues/245
I believe the problem was fixed with \
https://github.com/zeek/zeek/commit/78dcbcc71ac09d3dd8a213f658ee8e794bb1bcd9 or \
https://github.com/zeek/zeek/commit/6598fe991d26bd15e483fcd96ea72bb161143d4e but it \
has not been confirmed yet,
On Sat, May 18, 2019 at 7:05 PM Rogers, Zach \
<Zach.Rogers@oregonstate.edu<mailto:Zach.Rogers@oregonstate.edu>> wrote: Hey Seth,
Did you have a chance to look into this?
If anyone else has any input that would be helpful as well!
All the best,
--
Zach Rogers
Lead Security Analyst
Security and Network Monitoring
Oregon Research & Teaching Security Operations Center (ORTSOC)
Phone: 541.737.7723
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52
On 3/27/19, 10:57 AM, "Seth Hall" <seth@corelight.com<mailto:seth@corelight.com>> \
wrote:
On 27 Mar 2019, at 11:54, Zander Work wrote:
> The first two showing ??:0 makes sense b/c those are memory addresses.
> It looks like the PE analyzer might be the culprit but I'm not sure.
Yep, I knew the first two would look like that. It's ASLR being applied
to glibc function (which is fine and not what I was interested in
anyway). It did end up showing what I expected it to. I'll look around
a little bit and see if anything makes sense.
Thanks!
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com<http://www.corelight.com>
_______________________________________________
Zeek mailing list
zeek@zeek.org<mailto:zeek@zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Thanks Justin! I will see if we can do some testing on our end \
– If so I will report back.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">--<o:p></o:p></p>
<p class="MsoNormal">Zach Rogers<o:p></o:p></p>
<p class="MsoNormal">Lead Security Analyst<o:p></o:p></p>
<p class="MsoNormal">Security and Network Monitoring<o:p></o:p></p>
<p class="MsoNormal">Oregon Research & Teaching Security Operations Center \
(ORTSOC)<o:p></o:p></p> <p class="MsoNormal">Phone: 541.737.7723<o:p></o:p></p>
<p class="MsoNormal" style="line-height:12.0pt">GPG Fingerprint:<span \
style="font-size:10.0pt;font-family:"Courier New""> <span \
style="color:black">ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 \
BD52<o:p></o:p></span></span></p> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Justin Azoff \
<justin@corelight.com><br> <b>Date: </b>Saturday, May 18, 2019 at 4:32 PM<br>
<b>To: </b>"Rogers, Zach" <Zach.Rogers@oregonstate.edu><br>
<b>Cc: </b>Seth Hall <seth@corelight.com>, "Nead-Work, Alexander" \
<Alexander.Nead-Work@oregonstate.edu>, "zeek@zeek.org" \
<zeek@zeek.org><br> <b>Subject: </b>Re: [Zeek] tcmalloc large \
alloc<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There's an issue here: <a \
href="https://github.com/zeek/zeek/issues/245">https://github.com/zeek/zeek/issues/245</a>
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I believe the problem was fixed with <a \
href="https://github.com/zeek/zeek/commit/78dcbcc71ac09d3dd8a213f658ee8e794bb1bcd9">ht \
tps://github.com/zeek/zeek/commit/78dcbcc71ac09d3dd8a213f658ee8e794bb1bcd9</a> or <a \
href="https://github.com/zeek/zeek/commit/6598fe991d26bd15e483fcd96ea72bb161143d4e">ht \
tps://github.com/zeek/zeek/commit/6598fe991d26bd15e483fcd96ea72bb161143d4e</a> but
it has not been confirmed yet,<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Sat, May 18, 2019 at 7:05 PM Rogers, Zach <<a \
href="mailto:Zach.Rogers@oregonstate.edu">Zach.Rogers@oregonstate.edu</a>> \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <p class="MsoNormal">Hey Seth,<br>
<br>
Did you have a chance to look into this?<br>
<br>
If anyone else has any input that would be helpful as well!<br>
<br>
All the best,<br>
<br>
--<br>
Zach Rogers<br>
Lead Security Analyst<br>
Security and Network Monitoring<br>
Oregon Research & Teaching Security Operations Center (ORTSOC)<br>
Phone: 541.737.7723<br>
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52 <br>
<br>
On 3/27/19, 10:57 AM, "Seth Hall" <<a href="mailto:seth@corelight.com" \
target="_blank">seth@corelight.com</a>> wrote:<br> <br>
<br>
<br>
On 27 Mar 2019, at 11:54, Zander Work wrote:<br>
<br>
> The first two showing ??:0 makes sense b/c those are memory \
addresses. <br> > It looks like the PE analyzer might be the culprit \
but I'm not sure.<br> <br>
Yep, I knew the first two would look like that. It's ASLR being \
applied <br> to glibc function (which is fine and not what I was \
interested in <br> anyway). It did end up showing what I expected \
it to. I'll look around <br> a little bit and see if anything \
makes sense.<br> <br>
Thanks!<br>
.Seth<br>
<br>
--<br>
Seth Hall * Corelight, Inc * <a href="http://www.corelight.com" \
target="_blank"> www.corelight.com</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Justin<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--===============0327063500==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic