Project

General

Profile

Actions

Bug #1396

closed

Segfault on rules reload (when using --unix-socket also?)

Added by Luigi Sandon almost 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

We're running Suricata 2.0.6 using the --unix-socket parameter. We're trying also to reload rules withour restarting suricata sending SIGUSR2 to the Suricata process. We found that the unix socket gets closed, and Suricata segfault appear in the syslog:

Feb 24 15:29:46 ntdb kernel: [ 8157.442428] Detect1511044: segfault at 0 ip (null) sp 00007fee1c4a44a8 error 14 in suricata[400000+1d5000]

Feb 24 10:09:24 ntdb kernel: [ 3738.872665] Detect146865: segfault at 90be98 ip 0000000000562027 sp 00007f1606e484a8 error 4 in suricata[400000+1d5000]

Feb 24 11:25:23 ntdb kernel: [ 8296.417791] Detect29505: segfault at 0 ip (null) sp 00007fce3d39e4a8 error 14 in suricata[400000+1d5000]

Rules reload seems to complete (even if some rules have errors, but they are also present on Suricata start, we're reloading the same rule set), but processing the next file looks to trigger the segfault:

24/2/2015 -- 15:29:23 - <Notice> - Pcap-file module read 2120000 packets, 470571091 bytes
24/2/2015 -- 15:29:27 - <Notice> - Pcap-file module read 2120000 packets, 470561318 bytes
24/2/2015 -- 15:29:31 - <Notice> - Pcap-file module read 2120000 packets, 470424243 bytes
24/2/2015 -- 15:29:34 - <Notice> - Pcap-file module read 2120000 packets, 470429820 bytes
24/2/2015 -- 15:29:38 - <Notice> - Pcap-file module read 2120000 packets, 470501074 bytes
24/2/2015 -- 15:29:42 - <Notice> - Pcap-file module read 2120000 packets, 470425744 bytes
24/2/2015 -- 15:29:42 - <Notice> - rule reload starting
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert tcp any any <> any [20,80,139,445,8080,3128] (msg:"HackTool.win.winmgt"; flow:e stablished; content:"|0D 0A 53 65 72 76 65 72 73 20 65 6E 75 6D 65 72 61 74 65 64 3A 20 25 64 |"; reference:url,cyberlabs.it; reference:url,cyberlabs.it; classtype:apt-malware; sid:622013 " from file /etc/suricata/rules/malware.rules at line 89
24/2/2015 -- 15:29:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /et c/suricata/rules/policy.rules
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20] (msg:"FTP-DATA RAR magic"; content:"|52 61 72 21 1A 07|" ; offset:0; classtype:exfiltration; sid:20140720015; rev:1;)" from file /etc/suricata/rules/t hreats.rules at line 42
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20] (msg:"FTP-DATA 7ZIP magic"; content:"|37 7A BC AF 27 1C| "; offset:0; classtype:exfiltration; sid:20140720016; rev:1;)" from file /etc/suricata/rules/ threats.rules at line 43
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20,80,3128,8080] (msg:"Encrypted RAR magic"; content:"|52 61 72 21 1a 07 00 ce 99 73 80 00 0d 00|"; offset:0; classtype:exfiltration; sid:20140905015; re v:1;)" from file /etc/suricata/rules/threats.rules at line 46
24/2/2015 -- 15:29:44 - <Notice> - rule reload complete
24/2/2015 -- 15:29:46 - <Notice> - Pcap-file module read 2120000 packets, 470529320 bytes


Files

suricata.build.info (2.14 KB) suricata.build.info --build-info result Luigi Sandon, 02/24/2015 08:49 AM
suricata.conf (13.8 KB) suricata.conf --dump-config result Luigi Sandon, 02/24/2015 08:49 AM
Actions #1

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed

Many improvements have been made to rule (re)loading. Please reopen if still an issue in recent code.

Actions

Also available in: Atom PDF