Bug #2898
closedAdding solution to Bug #2251
Description
Adding a solution to the issue with subscription rulesets such as Emerging Threat Pro (ETPRO) signatures and Suricata 3.x versions.
[ERRCODE: SC_ERR_AHO_CORASICK(174)] - StateQueue behaving weirdly. Fatal Error. Exiting.
A customer is still running 3.2.1 on Centos 6.x hardware due in part to funding and is slowing replacing with Suricata 4.1.x and a new OS.
However last week an ETPRO update triggered the issue found in https://redmine.openinfosecfoundation.org/issues/2251
This appears to be a sub-engine failure with the detect-engine and the mpm (multi-pattern module) pattern algorithm chosen.
Looking between version 3.x and 4.x suricata code changes it appears that multiple algorithms are no longer in 4.x which may be part of the problem.
The solution in our yaml file was below. Though we are actively replacing the 3.x sensors with 4.x sensors as well for a permanent solution.
The fix is a change in a sub-engine component used for pattern analysis (detect-engine algorithm) where changing the option "sgh-mpm-context: auto" from 'full' allows the legacy 3.2.1 instances to continue running.
Edited the Suricata.yaml file with the following changes.
The '/*' is the inline code editor is changing pound symbol to numbers at the start of a line
/* ISSUE Configuration */
detect:
profile: custom
custom-values:
toclient-groups: 30
toserver-groups: 150
sgh-mpm-context: full
inspection-recursion-limit: 3000
/*Fix Configuration /
/ Disable all of above then add /
detect-engine:
- profile: custom
- custom-values:
/ # toclient-src-groups: 200
/* # toclient-dst-groups: 200
/* # toclient-sp-groups: 200
/* # toclient-dp-groups: 300
/* # toserver-src-groups: 200
/* # toserver-dst-groups: 400
/* # toserver-sp-groups: 200
/* # toserver-dp-groups: 250
toclient-groups: 30
toserver-groups: 150
- sgh-mpm-context: auto
/* ### Appears to be the cause of error /
/ #### CHANGED from 'auto' to 'full' like above */
@