Project

General

Profile

Actions

Bug #3091

closed

Suricata crashes with payload-buffer-size more than 1014kb

Added by Ivan Ivanov over 5 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello, please check this.
Suricata crashes with option "payload-buffer-size" more than 1014kb.
And in this case "payload" in eve.json and unified2-alert is empty.
Checked on 4.1.0, 4.1.1


Files

build_info.txt (3.52 KB) build_info.txt Ivan Ivanov, 07/27/2019 11:41 PM
suricata_1015kb_2059kb.yaml (71.2 KB) suricata_1015kb_2059kb.yaml Ivan Ivanov, 07/27/2019 11:51 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #4550: pthreads: set minimum stack sizeClosedJeff LucovskyActions
Actions #1

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback
  • Assignee set to Community Ticket
  • Target version set to Support

Can you give us more details about your setup?
I couldn't reproduce it.

Actions #2

Updated by Ivan Ivanov over 5 years ago

I found the following, if I set the parameter:
stream:
depth: 2059kb - or more it reproduces.
payload-buffer-size: 1015kb

And there are another strange thing, if I set for example:
stream:
depth: 32mb
and payload-buffer-size: 1014kb
I get in "payload" in eve.json and unified2-alert much bigger part of thaffic, than previous case.

Actions #3

Updated by Peter Manev over 5 years ago

Thank you for the feedback!
Same issue on 4.1 and git I suppose?

Actions #4

Updated by Andreas Herz over 5 years ago

I still can't reproduce it, can you post more details about your system/setup and attach the suricata.yaml and maybe add suricata --build-info as well?

Updated by Ivan Ivanov over 5 years ago

OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
There are suricata.yaml and suricata --build-info in attached files.
Suricata: https://www.openinfosecfoundation.org/download/windows/Suricata-4.1.4-1-64bit.msi
npcap-0.99-r7.exe (md5: 26f0298ba70add3494b934230033b251)

Actions #6

Updated by Andreas Herz over 5 years ago

Ah that's on Windows, whole different story then and the windows folks need to jump in.

Actions #7

Updated by Peter Manev over 5 years ago

Just a sanity check @ Ivan - is this the MSI pkg or local compile ?

Actions #9

Updated by Victor Julien over 5 years ago

Wonder if this could be related to a limited stack size.

Actions #10

Updated by Peter Manev about 5 years ago

I could not reproduce the same with Suricata 4.1.4 on Windows 2016 Standard Server and on Win 10 Enterprise.
In my case Suricata starts and inspects traffic ok it seems. Does it only trigger the crash on actual alert/buffer logging/print or at start up in your case?

Actions #11

Updated by Andreas Herz almost 3 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions #12

Updated by Victor Julien almost 3 years ago

  • Related to Feature #4550: pthreads: set minimum stack size added
Actions

Also available in: Atom PDF