Project

General

Profile

Actions

Bug #2251

closed

Suricata won't start - SC_ERR_AHO_CORASICK

Added by Stian Bergseth almost 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When starting Suricata it fails after parsing signatures.

# /usr/bin/suricata --af-packet -c /etc/suricata/suricata.yaml
25/10/2017 -- 09:30:40 - <Notice> - This is Suricata version 3.2.3 RELEASE
25/10/2017 -- 09:30:40 - <Info> - CPUs/cores online: 48
25/10/2017 -- 09:30:40 - <Info> - HTTP memcap: 8589934592
25/10/2017 -- 09:30:40 - <Info> - Found an MTU of 9170 for 'eno49'
25/10/2017 -- 09:30:40 - <Info> - Found an MTU of 9170 for 'eno49'
25/10/2017 -- 09:31:00 - <Info> - 1 rule files processed. 39866 rules successfully loaded, 0 rules failed
25/10/2017 -- 09:31:01 - <Info> - 39868 signatures processed. 6 are IP-only rules, 15387 are inspecting packet payload, 28503 inspect application layer, 0 are decoder event only
25/10/2017 -- 09:31:09 - <Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - StateQueue behaving weirdly. Fatal Error. Exiting. Please file a bug report on this

Some general info about the system:
@suricata --build-info
This is Suricata version 3.2.3 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-11), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25

Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Libnet support: yes
Suricatasc install:                      yes
Profiling enabled:                       no
Profiling locks enabled: no

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix                                 /usr
--sysconfdir /etc
--localstatedir /var
Host:                                    x86_64-redhat-linux-gnu
Compiler: gcc -std=gnu99 (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
@

This is on CentOS Linux release 7.4

Actions #1

Updated by Stian Bergseth almost 4 years ago

This is with a mix of ET open/pro signatures, VRT signatures and some custom made signatures.
Tried upgrading to 3.2.4 with no success.

After removing 1000 signatures it works again, all of them was "FILE-IDENTIFY" signatures.

Actions #2

Updated by Stian Bergseth almost 4 years ago

From suricata.yaml

detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 200
- sgh-mpm-context: single
- inspection-recursion-limit: 3000

mpm-algo: ac

Actions #3

Updated by Victor Julien almost 4 years ago

  • Target version set to TBD

This will be hard to figure out without a proper testcase.

Actions #4

Updated by Andreas Herz almost 4 years ago

  • Assignee set to OISF Dev
Actions #5

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions #6

Updated by Victor Julien over 2 years ago

  • Target version deleted (TBD)
Actions

Also available in: Atom PDF