Bug #1396
closedSegfault on rules reload (when using --unix-socket also?)
Description
We're running Suricata 2.0.6 using the --unix-socket parameter. We're trying also to reload rules withour restarting suricata sending SIGUSR2 to the Suricata process. We found that the unix socket gets closed, and Suricata segfault appear in the syslog:
Feb 24 15:29:46 ntdb kernel: [ 8157.442428] Detect1511044: segfault at 0 ip (null) sp 00007fee1c4a44a8 error 14 in suricata[400000+1d5000]
Feb 24 10:09:24 ntdb kernel: [ 3738.872665] Detect146865: segfault at 90be98 ip 0000000000562027 sp 00007f1606e484a8 error 4 in suricata[400000+1d5000]
Feb 24 11:25:23 ntdb kernel: [ 8296.417791] Detect29505: segfault at 0 ip (null) sp 00007fce3d39e4a8 error 14 in suricata[400000+1d5000]
Rules reload seems to complete (even if some rules have errors, but they are also present on Suricata start, we're reloading the same rule set), but processing the next file looks to trigger the segfault:
24/2/2015 -- 15:29:23 - <Notice> - Pcap-file module read 2120000 packets, 470571091 bytes
24/2/2015 -- 15:29:27 - <Notice> - Pcap-file module read 2120000 packets, 470561318 bytes
24/2/2015 -- 15:29:31 - <Notice> - Pcap-file module read 2120000 packets, 470424243 bytes
24/2/2015 -- 15:29:34 - <Notice> - Pcap-file module read 2120000 packets, 470429820 bytes
24/2/2015 -- 15:29:38 - <Notice> - Pcap-file module read 2120000 packets, 470501074 bytes
24/2/2015 -- 15:29:42 - <Notice> - Pcap-file module read 2120000 packets, 470425744 bytes
24/2/2015 -- 15:29:42 - <Notice> - rule reload starting
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert tcp any any <> any [20,80,139,445,8080,3128] (msg:"HackTool.win.winmgt"; flow:e stablished; content:"|0D 0A 53 65 72 76 65 72 73 20 65 6E 75 6D 65 72 61 74 65 64 3A 20 25 64 |"; reference:url,cyberlabs.it; reference:url,cyberlabs.it; classtype:apt-malware; sid:622013 " from file /etc/suricata/rules/malware.rules at line 89
24/2/2015 -- 15:29:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /et c/suricata/rules/policy.rules
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20] (msg:"FTP-DATA RAR magic"; content:"|52 61 72 21 1A 07|" ; offset:0; classtype:exfiltration; sid:20140720015; rev:1;)" from file /etc/suricata/rules/t hreats.rules at line 42
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20] (msg:"FTP-DATA 7ZIP magic"; content:"|37 7A BC AF 27 1C| "; offset:0; classtype:exfiltration; sid:20140720016; rev:1;)" from file /etc/suricata/rules/ threats.rules at line 43
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_NUMERIC_VALUE(60)] - sid value to high, max 4294967295
24/2/2015 -- 15:29:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing sig nature "alert ip any any <> any [20,80,3128,8080] (msg:"Encrypted RAR magic"; content:"|52 61 72 21 1a 07 00 ce 99 73 80 00 0d 00|"; offset:0; classtype:exfiltration; sid:20140905015; re v:1;)" from file /etc/suricata/rules/threats.rules at line 46
24/2/2015 -- 15:29:44 - <Notice> - rule reload complete
24/2/2015 -- 15:29:46 - <Notice> - Pcap-file module read 2120000 packets, 470529320 bytes
Files
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
Many improvements have been made to rule (re)loading. Please reopen if still an issue in recent code.