Suricata

Can you record the traffic and attach the pcap?

Dear Victor

please find below Google Drive Link for the pcap file please note that the capture was taken while the rules where commented if you like I can repeat it while it's uncommented

https://drive.google.com/file/d/0B8PgMIlwY8MLdU90aWctZVBpNW8/view?usp=sharing

Dear,

please find below logs it happened when the it received a small udp packet

[root@ips01 ~]# tail -n 40 /usr/local/var/log/suricata/fast.log
12/08/2015-17:12:51.768280 [Drop] [**] [1:2014703:8] ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.239.0.47:14762 -> 106.38.187.142:53
12/08/2015-17:12:52.449464 [Drop] [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.237.83.33:49409 -> 199.203.131.145:53
12/08/2015-17:12:53.200179 [Drop] [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.237.83.33:58325 -> 199.203.131.145:53
12/08/2015-17:12:53.924091 [Drop] [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.239.255.254:55677 -> 67.23.224.151:53
12/08/2015-17:12:54.557045 [Drop] [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.237.83.33:49409 -> 199.203.131.145:53
12/08/2015-17:12:56.643216 [Drop] [**] [1:2014703:8] ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.239.0.6:12620 -> 168.1.69.109:53
12/08/2015-17:12:57.843547 [Drop] [**] [1:2014169:1] ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.0.29:11268 -> 8.8.4.4:53
12/08/2015-17:12:58.041774 [Drop] [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.236.200.93:11232 -> 192.131.182.241:53
12/08/2015-17:13:07.651615 [Drop] [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.237.83.33:29469 -> 199.203.131.145:53
12/08/2015-17:13:14.475466 [Drop] [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.239.255.254:53927 -> 67.23.224.151:53
12/08/2015-17:13:18.152123 [Drop] [**] [1:2014703:8] ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.238.212.154:64540 -> 54.76.137.57:53
12/08/2015-17:13:19.417191 [Drop] [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.236.200.93:8872 -> 192.131.182.241:53
12/08/2015-17:13:19.474715 [Drop] [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 37.239.255.254:53927 -> 67.23.224.151:53
12/08/2015-17:13:23.991153 [Drop] [**] [1:2200038:1] SURICATA UDP packet too small [**] [Classification: (null)] [Priority: 3] {UDP} 37.236.200.100:0 -> 72.220.237.17:0

[root@ips01 ~]# tail /var/log/messages -n 20
Dec 8 15:13:24 ips01 systemd: Started Session 92 of user root.
Dec 8 15:13:44 ips01 kernel: device eno1 left promiscuous mode
Dec 8 16:01:01 ips01 systemd: Starting Session 93 of user root.
Dec 8 16:01:01 ips01 systemd: Started Session 93 of user root.
Dec 8 17:01:01 ips01 systemd: Starting Session 94 of user root.
Dec 8 17:01:01 ips01 systemd: Started Session 94 of user root.
Dec 8 17:13:23 ips01 kernel: Detect12²⁶⁶⁵³: segfault at 4 ip 00000000004c7fcc sp 00007fa7c67fb470 error 4 in suricata[400000+1c6000]
Dec 8 17:13:24 ips01 systemd: suricata.service: main process exited, code=killed, status=11/SEGV
Dec 8 17:13:24 ips01 systemd: Unit suricata.service entered failed state.

Sadly, these bt's contain too little info. We need a binary w/o stripped symbols.

Can you recompile Suricata with CFLAGS="-ggdb", reproduce the issue and create another backtrace?

Dear,

we have already rebuild Suricata with the following flag CFLAGS="-ggdb -O0" showed we change it to CFLAGS="-ggdb" this the command we used for the rebuild

./configure --enable-nfqueue CFLAGS="-ggdb -O0" && make && make install-full

Something else must have gone wrong then, as the bt's don't show the symbols and are therefore not usable.

ok then we will try to rebuild the Suricata again with the following flag CFLAGS="-ggdb" is that ok and is there a way to check if the build has enabled the ggdb flag as stated in the command?

During the "make" stage, each gcc line should show this -ggdb option. Be sure to make clean first.

Dear

I have done make clean and install it again and there a -ggdb in each ggc line and then I have done the following three steps

gdb /usr/local/bin/suricata /core
(gdb) set logging on
(gdb) thread apply all bt

it created the exact same txt file that I have send you is there any recommended steps that I can follow?

Dear,

Thanks for your help the work around has worked and the system is working greatly

Thanks For Your Help we have successfully updated our system and it's working normally