Bug #3091
closedSuricata crashes with payload-buffer-size more than 1014kb
Description
Hello, please check this.
Suricata crashes with option "payload-buffer-size" more than 1014kb.
And in this case "payload" in eve.json and unified2-alert is empty.
Checked on 4.1.0, 4.1.1
Files
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
- Assignee set to Community Ticket
- Target version set to Support
Can you give us more details about your setup?
I couldn't reproduce it.
Updated by Ivan Ivanov over 5 years ago
I found the following, if I set the parameter:
stream:
depth: 2059kb - or more it reproduces.
payload-buffer-size: 1015kb
And there are another strange thing, if I set for example:
stream:
depth: 32mb
and payload-buffer-size: 1014kb
I get in "payload" in eve.json and unified2-alert much bigger part of thaffic, than previous case.
Updated by Peter Manev over 5 years ago
Thank you for the feedback!
Same issue on 4.1 and git I suppose?
Updated by Andreas Herz over 5 years ago
I still can't reproduce it, can you post more details about your system/setup and attach the suricata.yaml and maybe add suricata --build-info as well?
Updated by Ivan Ivanov over 5 years ago
- File build_info.txt build_info.txt added
- File suricata_1015kb_2059kb.yaml suricata_1015kb_2059kb.yaml added
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
There are suricata.yaml and suricata --build-info in attached files.
Suricata: https://www.openinfosecfoundation.org/download/windows/Suricata-4.1.4-1-64bit.msi
npcap-0.99-r7.exe (md5: 26f0298ba70add3494b934230033b251)
Updated by Andreas Herz over 5 years ago
Ah that's on Windows, whole different story then and the windows folks need to jump in.
Updated by Peter Manev over 5 years ago
Just a sanity check @ Ivan - is this the MSI pkg or local compile ?
Updated by Ivan Ivanov over 5 years ago
Updated by Victor Julien over 5 years ago
Wonder if this could be related to a limited stack size.
Updated by Peter Manev over 5 years ago
I could not reproduce the same with Suricata 4.1.4 on Windows 2016 Standard Server and on Win 10 Enterprise.
In my case Suricata starts and inspects traffic ok it seems. Does it only trigger the crash on actual alert/buffer logging/print or at start up in your case?
Updated by Andreas Herz almost 3 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs
Updated by Victor Julien almost 3 years ago
- Related to Feature #4550: pthreads: set minimum stack size added