Bug #3096
closedrandom failures on sip and http-evader suricata-verify tests
Added by Victor Julien over 6 years ago. Updated about 6 years ago.
Description
every couple of travis builds there seems to be a random failure in one of the http-evader tests that goes away by simply restarting the job.
VJ Updated by Victor Julien over 6 years ago Actions #1
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version set to TBD
Philippe, can you see if this is something specific to the evader tests and if it can be reproduced locally?
PA Updated by Philippe Antoine over 6 years ago Actions #2
Can you point me to one failed Travis build because of this ?
I did not find one in https://travis-ci.org/OISF/suricata/builds
PA Updated by Philippe Antoine over 6 years ago Actions #3
Hmm... I got one for http-evader-306
https://travis-ci.org/catenacyber/suricata/jobs/563954182
===> http-evader-305: OK
===> http-evader-306: Sub test #1: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 1, 'event_type': 'alert'}}
Sub test #2: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 2, 'event_type': 'alert'}}
Sub test #3: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'http.hostname': 'evader.example.com', 'http.http_method': 'GET', 'event_type': 'fileinfo', 'fileinfo.filename': 'eicar.txt'}}
===> http-evader-307: OK
PA Updated by Philippe Antoine over 6 years ago Actions #4
This might be related :
https://travis-ci.org/OISF/suricata/jobs/593933093
===> show-help: OK
===> sip-method: Sub test #1: FAIL : expected 36 matches; got 35 for filter {'count': 36, 'match': {'event_type': 'alert'}}
===> sip-protocol: OK
That is not http evader, but maybe this is a bug of suricata-verify, and that comes more often with http-evader tests since these are the majority of the run tests
VJ Updated by Victor Julien over 6 years ago Actions #5
Maybe, but in my own QA I see the sip failures a lot, http-evader failures seldom, and no other test fail. So I'm inclined to think the sip tests (or suricata sip code) has a different issue.
PA Updated by Philippe Antoine over 6 years ago Actions #6
Victor, could you tell me which http-evader tests fail in your own QA ?
VJ Updated by Victor Julien over 6 years ago Actions #7
I haven't kept a list. Will make a note for future failures.
PA Updated by Philippe Antoine over 6 years ago Actions #8
Got a new one : https://travis-ci.org/catenacyber/suricata/jobs/604848050?utm_medium=notification&utm_source=email
===> http-evader-492: OK
3204===> http-evader-493: Sub test #1: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 1, 'event_type': 'alert'}}
3205Sub test #2: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 2, 'event_type': 'alert'}}
3206Sub test #3: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'http.hostname': 'evader.example.com', 'http.http_method': 'GET', 'event_type': 'fileinfo', 'fileinfo.filename': 'eicar.txt'}}
3207===> http-evader-494: OK
PA Updated by Philippe Antoine over 6 years ago Actions #9
Should we get stdout/stderr from failed run tests in Travis ?
So we can debug this flaky behavior...
PA Updated by Philippe Antoine about 6 years ago Actions #10
- Status changed from Assigned to In Review
VJ Updated by Victor Julien about 6 years ago Actions #11
I'm seeing these issues a lot less frequent. In fact, can't remember the last time one of the http tests failed. I do occasionally see one of the sip tests fail, (almost?) always on arm64 it seems.
PA Updated by Philippe Antoine about 6 years ago Actions #12
I did not see a http test fail recently.
Though, some random failure will happen some time and we will want more debug information.
So https://github.com/OISF/suricata-verify/pull/161 is still useful even if this redmine ticket title is not entirely accurate
VJ Updated by Victor Julien about 6 years ago Actions #13
Philippe Antoine wrote in #note-12:
Though, some random failure will happen some time and we will want more debug information.
So https://github.com/OISF/suricata-verify/pull/161 is still useful even if this redmine ticket title is not entirely accurate
Agreed.
VJ Updated by Victor Julien about 6 years ago Actions #14
- Status changed from In Review to Assigned
- Assignee changed from Philippe Antoine to Victor Julien
- Priority changed from Normal to High
- Target version changed from TBD to 6.0.0beta1
- Label Needs backport added
I've identified a corner case where at the start of processing a pcap, flows may get evicted from the flow hash too early. On slower hardware this is more likely to happen. I've been able to fairly reliably reproduce this with the sip tests on a small arm64 device. Working on a fix.
VJ Updated by Victor Julien about 6 years ago Actions #15
- Subject changed from random failures on http-evader suricata-verify tests to random failures on sip and http-evader suricata-verify tests
VJ Updated by Victor Julien about 6 years ago Actions #16
- Status changed from Assigned to Closed
- Priority changed from High to Normal
JL Updated by Jeff Lucovsky about 6 years ago Actions #17
- Copied to Bug #3581: random failures on sip and http-evader suricata-verify tests added
JL Updated by Jeff Lucovsky about 6 years ago Actions #18
- Copied to Bug #3582: random failures on sip and http-evader suricata-verify tests added