Project

General

Profile

Actions

Bug #284

closed

HOME NET variable problem

Added by Peter Manev over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If you supply more than four (4) subnets or hosts at the HOME NET variable in the yaml config - Suricata goes through normal starting process and suddenly just quits/stops without any error reporting.


Files

HOME_NET.png (286 KB) HOME_NET.png HOME_NET: "[10.0.0.49,10.0.0.4,10.0.0.39,10.0.0.36,10.0.0.35]" Peter Manev, 04/19/2011 01:57 PM
HOME_NET2.png (246 KB) HOME_NET2.png HOME_NET: "[10.0.0.49/32,10.0.0.4/32,10.0.0.39/32,10.0.0.36/32,10.0.0.35/32]" Peter Manev, 04/19/2011 01:57 PM
suricata.yaml (17.1 KB) suricata.yaml yaml conf Peter Manev, 04/19/2011 01:57 PM
Actions #1

Updated by Victor Julien over 13 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.1beta3
  • Estimated time set to 4.00 h

@Peter Pan, can you paste a snippet from your suricata.yaml that can be used to reproduce the issue?

@Anoop, can you have a look at whats happening?

Actions #2

Updated by Chris Wakelin over 13 years ago

I have 5 subnets in my working config, but one is IPv6

Actions #3

Updated by Anoop Saldanha over 13 years ago

Victor Julien wrote:

@Peter Pan, can you paste a snippet from your suricata.yaml that can be used to reproduce the issue?

@Anoop, can you have a look at whats happening?

cool.

@Peter Pan Can you paste your HOME_NET or the entire address-group section?

Actions #4

Updated by Peter Manev over 13 years ago

Sure,
@Anoop - Will do.
@Chris Graf - Can you try (if possible of course)with 5 IPv4 subnets and see if you have the same issue when you start/restart Suricata, because I had that issue on both Debian and Ubuntu.

Actions #5

Updated by Chris Wakelin over 13 years ago

5 IPv4 subnets seems to work as well (with one /16, two /24s, one /22 and 10.0.0.0/8; no IPv6 and no hosts).

Updated by Peter Manev over 13 years ago

Hello,

I have attached a couple of screen shots and my yaml config.
given 5 hosts - suricata just quits with no error msg after "....stage 2: building source address list... complete."

About 20-30 seconds before Suricata quits it consumes 100% CPU resources.

Actions #7

Updated by Peter Manev over 13 years ago

I just found out that the issue (my previuos msg) is only present if the EXTERNAL_NET variable is set to "any".
If it is set to !$HOME_NET - Suricata works fine.

Actions #8

Updated by Chris Wakelin over 13 years ago

My EXTERNAL_NET is set to Any, and it still works for me!

Actions #9

Updated by Peter Manev over 13 years ago

Mine still does not - I have 5 hosts for the HOME_NET variable and EXTERNAL__NET is set to "any" - it hangs and it quits.
I have attached my yaml which is basically a default yaml with just these variables changed... I am not sure what could possibly be the issue here.

Actions #10

Updated by Chris Wakelin over 13 years ago

One difference I can see is I'm trying latest git version (so more or less 1.1beta2) and I'm using Ubuntu 10.04 64-bit not 10.10 32-bit (which it seems you are?). Could it be an issue in 1.0.x or a 32/64-bit issue?

Actions #11

Updated by Anoop Saldanha over 13 years ago

@Peter Pan

Works fine with your yaml with both master and master-1.0.x.

Checked your snapshots. It looks like the engine was killed. The OS killed it, probably because the engine consumed too much memory. The mpm you are using is b2g, which is memory hungry(comfortably hits 2gigs), while your ram's around 1.5gig with 600mb swap). Increase your memory to around 3gigs or change your mpm to "ac" and it should work fine.

Actions #12

Updated by Peter Manev over 13 years ago

  • Status changed from Assigned to Closed

Isolated case, not a bug.

Actions

Also available in: Atom PDF