Bug #2251
closedSuricata won't start - SC_ERR_AHO_CORASICK
Description
When starting Suricata it fails after parsing signatures.
# /usr/bin/suricata --af-packet -c /etc/suricata/suricata.yaml
25/10/2017 -- 09:30:40 - <Notice> - This is Suricata version 3.2.3 RELEASE
25/10/2017 -- 09:30:40 - <Info> - CPUs/cores online: 48
25/10/2017 -- 09:30:40 - <Info> - HTTP memcap: 8589934592
25/10/2017 -- 09:30:40 - <Info> - Found an MTU of 9170 for 'eno49'
25/10/2017 -- 09:30:40 - <Info> - Found an MTU of 9170 for 'eno49'
25/10/2017 -- 09:31:00 - <Info> - 1 rule files processed. 39866 rules successfully loaded, 0 rules failed
25/10/2017 -- 09:31:01 - <Info> - 39868 signatures processed. 6 are IP-only rules, 15387 are inspecting packet payload, 28503 inspect application layer, 0 are decoder event only
25/10/2017 -- 09:31:09 - <Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - StateQueue behaving weirdly. Fatal Error. Exiting. Please file a bug report on this
Some general info about the system:
@suricata --build-info
This is Suricata version 3.2.3 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-11), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yesLibmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Libnet support: yesSuricatasc install: yesProfiling enabled: no
Profiling locks enabled: noDevelopment settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /varHost: x86_64-redhat-linux-gnu
Compiler: gcc -std=gnu99 (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
@This is on CentOS Linux release 7.4
Updated by Stian Bergseth over 6 years ago
This is with a mix of ET open/pro signatures, VRT signatures and some custom made signatures.
Tried upgrading to 3.2.4 with no success.
After removing 1000 signatures it works again, all of them was "FILE-IDENTIFY" signatures.
Updated by Stian Bergseth over 6 years ago
From suricata.yaml
detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 200
- sgh-mpm-context: single
- inspection-recursion-limit: 3000
mpm-algo: ac
Updated by Victor Julien over 6 years ago
- Target version set to TBD
This will be hard to figure out without a proper testcase.
Updated by Andreas Herz almost 6 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs