Project

General

Profile

Actions

Bug #1589

closed

Cannot run nfq in workers mode

Added by Filip Stolarski almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

# uname -rm
3.2.71-main-grsec-spoofy x86_64 (without PaX)
# suricata --build-info
This is Suricata version 2.1dev (rev 86711a1)
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON PROFILING TLS 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  Prelude support:                         no
  PCRE jit:                                no
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       yes
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-unknown-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS 

(Apologize for the mess in configuration file)

Run with workers mode:

# /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 1 -D --runmode workers

# cat /var/log/suricata.log 
[29933] 4/11/2015 -- 15:38:52 - (suricata.c:1073) <Notice> (SCPrintVersion) -- This is Suricata version 2.1dev (rev 86711a1)
[29933] 4/11/2015 -- 15:38:52 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'request-body-minimal-inspect-size' set to 34116 and 'request-body-inspect-window' set to 3973 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'response-body-minimal-inspect-size' set to 32229 and 'response-body-inspect-window' set to 4205 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'request-body-minimal-inspect-size' set to 32040 and 'request-body-inspect-window' set to 4118 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-window' set to 4148 after randomization.
[29933] 4/11/2015 -- 15:38:52 - (app-layer-dns-udp.c:337) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[29933] 4/11/2015 -- 15:38:52 - (app-layer-dns-udp.c:349) <Info> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[29933] 4/11/2015 -- 15:38:52 - (app-layer-dns-udp.c:361) <Info> (DNSUDPConfigure) -- DNS global memcap: 16777216
[29933] 4/11/2015 -- 15:38:52 - (app-layer-modbus.c:1457) <Info> (RegisterModbusParsers) -- Modbus request flood protection level: 500
[29933] 4/11/2015 -- 15:38:52 - (source-nfq.c:286) <Info> (NFQInitConfig) -- NFQ running in standard ACCEPT/DROP mode
[29933] 4/11/2015 -- 15:38:52 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[29933] 4/11/2015 -- 15:38:52 - (defrag-hash.c:234) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 168
[29933] 4/11/2015 -- 15:38:52 - (defrag-hash.c:241) <Info> (DefragInitConfig) -- defrag memory usage: 14679896 bytes, maximum: 33554432
[29933] 4/11/2015 -- 15:38:52 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[29934] 4/11/2015 -- 15:38:52 - (host.c:215) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[29934] 4/11/2015 -- 15:38:52 - (host.c:238) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 136
[29934] 4/11/2015 -- 15:38:52 - (host.c:240) <Info> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 16777216
[29934] 4/11/2015 -- 15:38:52 - (flow.c:441) <Info> (FlowInitConfig) -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
[29934] 4/11/2015 -- 15:38:52 - (flow.c:465) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 288
[29934] 4/11/2015 -- 15:38:52 - (flow.c:467) <Info> (FlowInitConfig) -- flow memory usage: 7074304 bytes, maximum: 67108864
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:393) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:399) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:422) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:444) <Info> (StreamTcpInitConfig) -- stream."inline": enabled
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:457) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:475) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 134217728
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:493) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:576) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2581
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:578) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2643
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp.c:591) <Info> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:487) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
[29934] 4/11/2015 -- 15:38:52 - (stream-tcp-reassemble.c:500) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128
[29934] 4/11/2015 -- 15:38:52 - (ippair.c:211) <Info> (IPPairInitConfig) -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
[29934] 4/11/2015 -- 15:38:52 - (ippair.c:234) <Info> (IPPairInitConfig) -- preallocated 1000 ippairs of size 136
[29934] 4/11/2015 -- 15:38:52 - (ippair.c:236) <Info> (IPPairInitConfig) -- ippair memory usage: 398144 bytes, maximum: 16777216
[29934] 4/11/2015 -- 15:38:52 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[29934] 4/11/2015 -- 15:38:52 - (suricata.c:1942) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[29934] 4/11/2015 -- 15:38:52 - (reputation.c:620) <Info> (SRepInit) -- IP reputation disabled
[29934] 4/11/2015 -- 15:38:52 - (util-profiling-keywords.c:387) <Info> (SCProfilingKeywordInitCounters) -- Registered 111 keyword profiling counters.
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/local.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:424) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/local.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/botcc.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/ciarmy.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/compromised.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/drop.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/dshield.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-activex.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-attack_response.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-chat.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-current_events.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-dns.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-dos.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-exploit.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-ftp.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-games.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-icmp_info.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-imap.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-inappropriate.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-malware.rules
[29934] 4/11/2015 -- 15:38:52 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-misc.rules
[29934] 4/11/2015 -- 15:38:53 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-mobile_malware.rules
[29934] 4/11/2015 -- 15:38:53 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-netbios.rules
[29934] 4/11/2015 -- 15:38:53 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-p2p.rules
[29934] 4/11/2015 -- 15:38:53 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-policy.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-pop3.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-rpc.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-scada.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-scan.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-shellcode.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-smtp.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-snmp.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-sql.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-telnet.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-tftp.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-trojan.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-user_agents.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-voip.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_client.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_server.rules
[29934] 4/11/2015 -- 15:38:54 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_specific_apps.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-worm.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/tor.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/decoder-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/stream-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/http-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/smtp-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/dns-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/tls-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/modbus-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:402) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
[29934] 4/11/2015 -- 15:38:56 - (detect.c:523) <Info> (SigLoadSignatures) -- 50 rule files processed. 17234 rules successfully loaded, 0 rules failed
[29934] 4/11/2015 -- 15:38:56 - (detect.c:2987) <Info> (SigAddressPrepareStage1) -- 17242 signatures processed. 880 are IP-only rules, 6503 are inspecting packet payload, 12990 inspect application layer, 72 are decoder event only
[29934] 4/11/2015 -- 15:38:56 - (detect.c:2990) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[29934] 4/11/2015 -- 15:38:56 - (detect.c:3623) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[29934] 4/11/2015 -- 15:38:57 - (detect.c:4148) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[29934] 4/11/2015 -- 15:38:58 - (util-profiling-rules.c:589) <Info> (SCProfilingRuleInitCounters) -- Registered 17242 rule profiling counters.
[29934] 4/11/2015 -- 15:38:58 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[29934] 4/11/2015 -- 15:38:58 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[29934] 4/11/2015 -- 15:38:58 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'alert'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'http'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'dns'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'tls'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'files'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'smtp'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'ssh'
[29934] 4/11/2015 -- 15:38:58 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'stats'
[29934] 4/11/2015 -- 15:38:58 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[29934] 4/11/2015 -- 15:38:58 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log
[29935] 4/11/2015 -- 15:38:58 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 3606528
[29935] 4/11/2015 -- 15:38:58 - (source-nfq.c:589) <Info> (NFQInitThread) -- binding this thread 0 to queue '1'
[29935] 4/11/2015 -- 15:38:58 - (source-nfq.c:611) <Info> (NFQInitThread) -- setting queue length to 4096
[29935] 4/11/2015 -- 15:38:58 - (source-nfq.c:624) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[29935] 4/11/2015 -- 15:38:58 - (source-nfq.c:388) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.

Kernel log:

Nov  4 15:38:58 <hidden hostname here> kernel: grsec: From <hidden IP address here>: Segmentation fault occurred at 0000000000000024 in /usr/bin/suricata[Worker-Q1:29935] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Run with autofp mode:

# /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 1 -D --runmode autofp

# cat /var/log/suricata.log
[30013] 4/11/2015 -- 15:39:33 - (suricata.c:1073) <Notice> (SCPrintVersion) -- This is Suricata version 2.1dev (rev 86711a1)
[30013] 4/11/2015 -- 15:39:33 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-
size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect
-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'request-body-minimal-inspect-s
ize' set to 34116 and 'request-body-inspect-window' set to 3973 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'response-body-minimal-inspect-
size' set to 32229 and 'response-body-inspect-window' set to 4205 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2255) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'request-body-minimal-inspect-siz
e' set to 32040 and 'request-body-inspect-window' set to 4118 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-htp.c:2270) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'response-body-minimal-inspect-si
ze' set to 32694 and 'response-body-inspect-window' set to 4148 after randomization.
[30013] 4/11/2015 -- 15:39:33 - (app-layer-dns-udp.c:337) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[30013] 4/11/2015 -- 15:39:33 - (app-layer-dns-udp.c:349) <Info> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[30013] 4/11/2015 -- 15:39:33 - (app-layer-dns-udp.c:361) <Info> (DNSUDPConfigure) -- DNS global memcap: 16777216
[30013] 4/11/2015 -- 15:39:33 - (app-layer-modbus.c:1457) <Info> (RegisterModbusParsers) -- Modbus request flood protection level: 500
[30013] 4/11/2015 -- 15:39:33 - (source-nfq.c:286) <Info> (NFQInitConfig) -- NFQ running in standard ACCEPT/DROP mode
[30013] 4/11/2015 -- 15:39:33 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 b
uckets of size 56
[30013] 4/11/2015 -- 15:39:33 - (defrag-hash.c:234) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 168
[30013] 4/11/2015 -- 15:39:33 - (defrag-hash.c:241) <Info> (DefragInitConfig) -- defrag memory usage: 14679896 bytes, maximum: 33554432
[30013] 4/11/2015 -- 15:39:33 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[30014] 4/11/2015 -- 15:39:33 - (host.c:215) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of siz
e 64
[30014] 4/11/2015 -- 15:39:33 - (host.c:238) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 136
[30014] 4/11/2015 -- 15:39:33 - (host.c:240) <Info> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 16777216
[30014] 4/11/2015 -- 15:39:33 - (flow.c:441) <Info> (FlowInitConfig) -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of s
ize 64
[30014] 4/11/2015 -- 15:39:33 - (flow.c:465) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 288
[30014] 4/11/2015 -- 15:39:33 - (flow.c:467) <Info> (FlowInitConfig) -- flow memory usage: 7074304 bytes, maximum: 67108864
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:393) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:399) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:422) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:444) <Info> (StreamTcpInitConfig) -- stream."inline": enabled
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:457) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:475) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 134217728
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:493) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:576) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2630
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:578) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2500
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp.c:591) <Info> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:451) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:487) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
[30014] 4/11/2015 -- 15:39:33 - (stream-tcp-reassemble.c:500) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128
[30014] 4/11/2015 -- 15:39:33 - (ippair.c:211) <Info> (IPPairInitConfig) -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets 
of size 64
[30014] 4/11/2015 -- 15:39:33 - (ippair.c:234) <Info> (IPPairInitConfig) -- preallocated 1000 ippairs of size 136
[30014] 4/11/2015 -- 15:39:33 - (ippair.c:236) <Info> (IPPairInitConfig) -- ippair memory usage: 398144 bytes, maximum: 16777216
[30014] 4/11/2015 -- 15:39:33 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[30014] 4/11/2015 -- 15:39:33 - (suricata.c:1942) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[30014] 4/11/2015 -- 15:39:33 - (reputation.c:620) <Info> (SRepInit) -- IP reputation disabled
[30014] 4/11/2015 -- 15:39:33 - (util-profiling-keywords.c:387) <Info> (SCProfilingKeywordInitCounters) -- Registered 111 keyword profiling count
ers.
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/local.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:424) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata
/rules/local.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/botcc.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/ciarmy.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/compromised.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/drop.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/dshield.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-activex.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-attack_response.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-chat.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-current_events.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-dns.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-dos.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-exploit.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-ftp.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-games.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-icmp_info.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-imap.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-inappropriate.rules
[30014] 4/11/2015 -- 15:39:33 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-malware.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-misc.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-mobile_malware.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-netbios.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-p2p.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-policy.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-pop3.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-rpc.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-scada.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-scan.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-shellcode.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-smtp.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-snmp.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-sql.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-telnet.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-tftp.rules
[30014] 4/11/2015 -- 15:39:34 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-trojan.rules
[30014] 4/11/2015 -- 15:39:35 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-user_agents.rules
[30014] 4/11/2015 -- 15:39:35 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-voip.rules
[30014] 4/11/2015 -- 15:39:35 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_client.rules
[30014] 4/11/2015 -- 15:39:35 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_server.rules
[30014] 4/11/2015 -- 15:39:35 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-web_specific_apps.rule
s
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/emerging-worm.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/tor.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/decoder-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/stream-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/http-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/smtp-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/dns-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/tls-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:414) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/modbus-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:402) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /e
tc/suricata/rules/app-layer-events.rules
[30014] 4/11/2015 -- 15:39:36 - (detect.c:523) <Info> (SigLoadSignatures) -- 50 rule files processed. 17234 rules successfully loaded, 0 rules fa
iled
[30014] 4/11/2015 -- 15:39:36 - (detect.c:2987) <Info> (SigAddressPrepareStage1) -- 17242 signatures processed. 880 are IP-only rules, 6503 are i
nspecting packet payload, 12990 inspect application layer, 72 are decoder event only
[30014] 4/11/2015 -- 15:39:36 - (detect.c:2990) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing
 rules... complete
[30014] 4/11/2015 -- 15:39:36 - (detect.c:3623) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building sour
ce address list... complete
[30014] 4/11/2015 -- 15:39:38 - (detect.c:4148) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building dest
ination address lists... complete
[30014] 4/11/2015 -- 15:39:38 - (util-profiling-rules.c:589) <Info> (SCProfilingRuleInitCounters) -- Registered 17242 rule profiling counters.
[30014] 4/11/2015 -- 15:39:38 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[30014] 4/11/2015 -- 15:39:38 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[30014] 4/11/2015 -- 15:39:38 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'alert'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'http'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'dns'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'tls'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'files'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'smtp'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'ssh'
[30014] 4/11/2015 -- 15:39:38 - (runmodes.c:780) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'stats'
[30014] 4/11/2015 -- 15:39:38 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[30014] 4/11/2015 -- 15:39:38 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log
[30021] 4/11/2015 -- 15:39:38 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 3606528
[30021] 4/11/2015 -- 15:39:38 - (source-nfq.c:589) <Info> (NFQInitThread) -- binding this thread 0 to queue '1'
[30021] 4/11/2015 -- 15:39:38 - (source-nfq.c:611) <Info> (NFQInitThread) -- setting queue length to 4096
[30021] 4/11/2015 -- 15:39:38 - (source-nfq.c:624) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[30014] 4/11/2015 -- 15:39:39 - (flow-manager.c:721) <Info> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[30035] 4/11/2015 -- 15:39:39 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 3606528
[30014] 4/11/2015 -- 15:39:39 - (flow-manager.c:881) <Info> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[30014] 4/11/2015 -- 15:39:39 - (tm-threads.c:2001) <Notice> (TmThreadWaitOnThreadInit) -- all 14 packet processing threads, 4 management threads
 initialized, engine started.
Actions #1

Updated by Filip Stolarski almost 6 years ago

I'll attach gdb dump ASAP.

Actions #2

Updated by Victor Julien almost 6 years ago

  • Description updated (diff)

Cleaned up the description.

Gdb bt is very welcome.

Actions #3

Updated by Victor Julien almost 6 years ago

  • Target version changed from 3.0RC1 to TBD
Actions #4

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Andreas Herz
  • Target version changed from TBD to 70
Actions #5

Updated by Victor Julien over 5 years ago

  • Target version changed from 70 to 3.1.1
Actions #6

Updated by Giuseppe Longo over 5 years ago

Backtrace:

[24420] 17/6/2016 -- 11:45:25 - (source-nfq.c:590) <Info> (NFQInitThread) -- binding this thread 0 to queue '0'
[24420] 17/6/2016 -- 11:45:25 - (source-nfq.c:612) <Info> (NFQInitThread) -- setting queue length to 4096
[24420] 17/6/2016 -- 11:45:25 - (source-nfq.c:625) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[24420] 17/6/2016 -- 11:45:25 - (source-nfq.c:389) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe792f700 (LWP 24420)]
0x000000000057a35f in CaptureStatsSetup (tv=0x6120003ac6c0, s=0x24) at decode.c:579
579        s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
(gdb) bt
#0  0x000000000057a35f in CaptureStatsSetup (tv=0x6120003ac6c0, s=0x24) at decode.c:579
#1  0x0000000000bc5479 in VerdictNFQThreadInit (tv=0x6120003ac6c0, initdata=0x0, data=0x7fffe792e400) at source-nfq.c:763
#2  0x0000000000ca7324 in TmThreadsSlotPktAcqLoop (td=0x6120003ac6c0) at tm-threads.c:300
#3  0x00007ffff5b726aa in start_thread (arg=0x7fffe792f700) at pthread_create.c:333
#4  0x00007ffff4e9813d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

How to reproduce:

sudo src/suricata -c suricata.yaml -q 0 --runmode workers -l /tmp/ -v

Actions #7

Updated by Andreas Herz over 5 years ago

You might want to test the fix:

https://github.com/inliniac/suricata/pull/2154

Would need more testing if it's now working as expected, did at a small test at my home setup.

Actions #8

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 3.1.1 to 3.1
Actions

Also available in: Atom PDF