Bug #3353
openxdp_filter segmentation fault util-ebpf.c:728
Description
Hi
I followed https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html to run suricata with xdp_filter, it appears when there are existing flows in map flow_table_v4, starting suricata would result segmenation fault.
# bpftool map list id 9 9: percpu_hash name flow_table_v4 flags 0x0 key 16B value 16B max_entries 32768 memlock 19660800B # bpftool map dump id 9 | tail -36 key: 0a 08 08 09 0a 08 08 08 14 51 93 7a 01 00 00 00 value (CPU 00): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 01): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 02): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 03): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 04): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 05): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 06): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 07): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 08): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 09): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 10): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 11): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 12): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 13): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 14): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 15): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 16): 80 88 01 02 00 00 00 00 bd f1 e1 4e 2c 7f 00 00 value (CPU 17): 61 18 7e 00 00 00 00 00 18 00 00 00 30 00 00 00 value (CPU 18): 80 a7 6a 41 2c 7f 00 00 10 00 00 00 30 00 00 00 value (CPU 19): 50 a7 6a 41 2c 7f 00 00 90 a6 6a 41 2c 7f 00 00 value (CPU 20): 83 00 00 85 08 00 00 00 80 88 01 02 00 00 00 00 value (CPU 21): a0 c2 17 4f 2c 7f 00 00 80 92 01 02 00 00 00 00 value (CPU 22): 00 00 00 00 00 00 00 00 18 00 00 00 30 00 00 00 value (CPU 23): d0 a7 6a 41 2c 7f 00 00 10 a7 6a 41 2c 7f 00 00 value (CPU 24): 00 00 00 00 00 00 00 00 58 21 7d 00 00 00 00 00 value (CPU 25): 08 00 00 00 00 00 00 00 80 88 01 02 00 00 00 00 value (CPU 26): a0 c2 17 4f 2c 7f 00 00 e8 fa 36 04 2c 7f 00 00 value (CPU 27): 0d 9d 01 00 00 00 00 00 54 dd 2c 04 2c 7f 00 00 value (CPU 28): 65 97 01 00 00 00 00 00 d0 81 5c 00 00 00 00 00 value (CPU 29): a8 05 00 00 00 00 00 00 e0 a9 6a 41 2c 7f 00 00 value (CPU 30): b0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 value (CPU 31): 06 00 00 00 00 00 00 00 90 b2 6a 41 2c 7f 00 00 Found 12 elements # gdb --args suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vvv GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from suricata...done. warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts of file /usr/bin/suricata. Use `info auto-load python-scripts [REGEXP]' to list them. (gdb) run Starting program: /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vvv [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [29505] 20/11/2019 -- 19:41:06 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.1-dev (0824b0413 2019-11-02) running in SYSTEM mode [29505] 20/11/2019 -- 19:41:06 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16 [29505] 20/11/2019 -- 19:41:06 - (util-device.c:286) <Config> (LiveBuildDeviceListCustom) -- Adding interface enp4s0f0 from config file [29505] 20/11/2019 -- 19:41:06 - (util-device.c:286) <Config> (LiveBuildDeviceListCustom) -- Adding interface enp4s0f1 from config file [29505] 20/11/2019 -- 19:41:06 - (app-layer-htp.c:2442) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 31402 and 'request-body-inspect-window' set to 4108 after randomization. [29505] 20/11/2019 -- 19:41:06 - (app-layer-htp.c:2460) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 41416 and 'response-body-inspect-window' set to 16938 after randomization. [29505] 20/11/2019 -- 19:41:06 - (app-layer-smb.c:344) <Config> (RegisterSMBParsers) -- SMB stream depth: 0 [29505] 20/11/2019 -- 19:41:06 - (app-layer-modbus.c:1523) <Config> (RegisterModbusParsers) -- Protocol detection and parser disabled for modbus protocol. [29505] 20/11/2019 -- 19:41:06 - (app-layer-enip.c:422) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol. [29505] 20/11/2019 -- 19:41:06 - (app-layer-dnp3.c:1626) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3. [29505] 20/11/2019 -- 19:41:06 - (host.c:254) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [29505] 20/11/2019 -- 19:41:06 - (host.c:277) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136 [29505] 20/11/2019 -- 19:41:06 - (host.c:279) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432 [29505] 20/11/2019 -- 19:41:06 - (util-coredump-config.c:149) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited. [29505] 20/11/2019 -- 19:41:06 - (suricata.c:2648) <Info> (PostDeviceFinalizedSetup) -- AF_PACKET: Setting IPS mode [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:248) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:273) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160 [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:280) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 33554432 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:399) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread) [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:430) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:447) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:475) <Config> (StreamTcpInitConfig) -- stream."inline": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:488) <Config> (StreamTcpInitConfig) -- stream "bypass": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:510) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:532) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:550) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:626) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2468 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:628) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2663 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:640) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp-reassemble.c:373) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048 [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'anomaly' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'http' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns' [29505] 20/11/2019 -- 19:41:06 - (output-json-dns.c:540) <Config> (JsonDnsParseVersion) -- eve-log dns version not set, defaulting to version 2 [29505] 20/11/2019 -- 19:41:06 - (output-json-dns.c:540) <Config> (JsonDnsParseVersion) -- eve-log dns version not set, defaulting to version 2 [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tls' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'files' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smtp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ftp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'nfs' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smb' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tftp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ikev2' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'krb5' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'snmp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dhcp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ssh' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'stats' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow' [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [29505] 20/11/2019 -- 19:41:06 - (suricata.c:2468) <Config> (SetupDelayedDetect) -- Delayed detect disabled [29505] 20/11/2019 -- 19:41:06 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:1969) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: ac, SPM: bm [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2368) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2392) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060 [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2420) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr [29505] 20/11/2019 -- 19:41:06 - (reputation.c:607) <Config> (SRepInit) -- IP reputation disabled [29505] 20/11/2019 -- 19:41:06 - (detect-engine-loader.c:249) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/suricata.rules [29505] 20/11/2019 -- 19:41:08 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 23913 rules successfully loaded, 0 rules failed [29505] 20/11/2019 -- 19:41:08 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 23917 signatures processed. 1053 are IP-only rules, 5092 are inspecting packet payload, 17505 inspect application layer, 103 are decoder event only [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1419) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- TCP toserver: 41 port groups, 35 unique SGH's, 6 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- UDP toserver: 41 port groups, 36 unique SGH's, 5 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- UDP toclient: 21 port groups, 15 unique SGH's, 6 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1005) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1042) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [29505] 20/11/2019 -- 19:41:16 - (detect-engine-build.c:1784) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 109 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 28 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 20 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 28 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 21 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 36 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 15 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri (http)": 9 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body (http)": 4 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header (http)": 8 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header (http)": 8 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header_names (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_len (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http.server (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_start (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method (http)": 3 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent (http)": 6 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 4 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 3 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_issuer (tls)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_subject (tls)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_serial (tls)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh.proto (ssh)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient ssh.proto (ssh)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smtp)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smb)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (smb)": 5 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:272) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enp4s0f0->enp4s0f1 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp4s0f0) [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:391) <Config> (ParseAFPConfig) -- Using pinned maps on iface enp4s0f0 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp4s0f0) [29505] 20/11/2019 -- 19:41:18 - (util-ebpf.c:324) <Info> (EBPFLoadFile) -- Loaded pinned maps, will use already loaded eBPF filter [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:528) <Info> (ParseAFPConfig) -- Loaded pinned maps from sysfs [29505] 20/11/2019 -- 19:41:18 - (util-ioctl.c:767) <Info> (GetIfaceRSSQueuesNum) -- Found 16 RX RSS queues for 'enp4s0f0' [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:637) <Perf> (ParseAFPConfig) -- 16 RSS queues, so using 16 threads [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:643) <Perf> (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface enp4s0f0 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:700) <Config> (ParseAFPConfig) -- enp4s0f0: enabling zero copy mode by using data release call [29505] 20/11/2019 -- 19:41:19 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [New Thread 0x7ffff42f4700 (LWP 29510)] [New Thread 0x7ffff3af3700 (LWP 29511)] [New Thread 0x7ffff32f2700 (LWP 29512)] [New Thread 0x7ffff2af1700 (LWP 29513)] [New Thread 0x7ffff22f0700 (LWP 29514)] [New Thread 0x7ffff1aef700 (LWP 29515)] [New Thread 0x7ffff12ee700 (LWP 29516)] [New Thread 0x7ffff0aed700 (LWP 29517)] [New Thread 0x7ffff02ec700 (LWP 29518)] [New Thread 0x7fffefaeb700 (LWP 29519)] [New Thread 0x7fffef2ea700 (LWP 29520)] [New Thread 0x7fffe957d700 (LWP 29521)] [New Thread 0x7fffe8d7c700 (LWP 29522)] [New Thread 0x7fffb3fff700 (LWP 29523)] [New Thread 0x7fffb37fe700 (LWP 29524)] [New Thread 0x7fffb2ffd700 (LWP 29525)] [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:272) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enp4s0f1->enp4s0f0 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp4s0f1) [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:391) <Config> (ParseAFPConfig) -- Using pinned maps on iface enp4s0f1 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp4s0f1) [29505] 20/11/2019 -- 19:41:19 - (util-ebpf.c:324) <Info> (EBPFLoadFile) -- Loaded pinned maps, will use already loaded eBPF filter [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:528) <Info> (ParseAFPConfig) -- Loaded pinned maps from sysfs [29505] 20/11/2019 -- 19:41:19 - (util-ioctl.c:767) <Info> (GetIfaceRSSQueuesNum) -- Found 16 RX RSS queues for 'enp4s0f1' [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:637) <Perf> (ParseAFPConfig) -- 16 RSS queues, so using 16 threads [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:643) <Perf> (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface enp4s0f1 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:700) <Config> (ParseAFPConfig) -- enp4s0f1: enabling zero copy mode by using data release call [29505] 20/11/2019 -- 19:41:19 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [New Thread 0x7fffb27fc700 (LWP 29526)] [29526] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29526] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb1ffb700 (LWP 29527)] [29527] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29527] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb17fa700 (LWP 29528)] [29528] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29528] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb0ff9700 (LWP 29529)] [29529] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29529] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff93fff700 (LWP 29530)] [29530] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29530] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff937fe700 (LWP 29531)] [29531] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29531] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff92ffd700 (LWP 29532)] [29532] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29532] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff927fc700 (LWP 29533)] [29533] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29533] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff91ffb700 (LWP 29534)] [29534] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29534] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff917fa700 (LWP 29535)] [29535] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29535] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff90ff9700 (LWP 29536)] [29536] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29536] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff73fff700 (LWP 29537)] [29537] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29537] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff737fe700 (LWP 29538)] [29538] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29538] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff72ffd700 (LWP 29539)] [29539] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29539] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff727fc700 (LWP 29540)] [29540] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29540] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff71ffb700 (LWP 29541)] [29541] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29541] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [29505] 20/11/2019 -- 19:41:19 - (flow-manager.c:893) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads [New Thread 0x7fff717fa700 (LWP 29542)] [29505] 20/11/2019 -- 19:41:19 - (flow-manager.c:1054) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads [New Thread 0x7fff70ff9700 (LWP 29543)] [New Thread 0x7fff53fff700 (LWP 29544)] [New Thread 0x7fff537fe700 (LWP 29545)] Thread 36 "FB" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff53fff700 (LWP 29544)] 0x0000000000883b08 in EBPFForEachFlowV4Table (th_v=0x82eaec0, dev=0x13543d0, name=0xfa1c27 "flow_table_v4", ctime=0x7fff53ffcb08, tcfg=0x36e90f0, EBPFOpFlowForKey=0x883f30 <EBPFCreateFlowForKey>) at util-ebpf.c:728 728 pkts_cnt += BPF_PERCPU(values_array, i).packets; (gdb) bt #0 0x0000000000883b08 in EBPFForEachFlowV4Table (th_v=0x82eaec0, dev=0x13543d0, name=0xfa1c27 "flow_table_v4", ctime=0x7fff53ffcb08, tcfg=0x36e90f0, EBPFOpFlowForKey=0x883f30 <EBPFCreateFlowForKey>) at util-ebpf.c:728 #1 0x0000000000883534 in EBPFCheckBypassedFlowCreate (th_v=0x82eaec0, curtime=0x7fff53ffcb08, data=0x36e90f0) at util-ebpf.c:908 #2 0x00000000006b0fdd in BypassedFlowManager (th_v=0x82eaec0, thread_data=0x7fff4c000b20) at flow-bypass.c:80 #3 0x0000000000841a48 in TmThreadsManagement (td=0x82eaec0) at tm-threads.c:706 #4 0x00007ffff695f6db in start_thread (arg=0x7fff53fff700) at pthread_create.c:463 #5 0x00007ffff5dc388f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
here is my suricata.yaml
af-packet: - interface: enp4s0f0 threads: auto cluster-id: 99 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f1 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf - interface: enp4s0f1 threads: auto cluster-id: 100 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f0 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
this is on Ubuntu 18.04.03 kernel 5.0.0-36-generic , please let me know what other information you need.
Updated by Vincent Li about 5 years ago
it appears values_array 0x0
(gdb) f #0 0x0000000000883b08 in EBPFForEachFlowV4Table (th_v=0x82eaec0, dev=0x13543d0, name=0xfa1c27 "flow_table_v4", ctime=0x7fff53ffcb08, tcfg=0x36e90f0, EBPFOpFlowForKey=0x883f30 <EBPFCreateFlowForKey>) at util-ebpf.c:728 728 pkts_cnt += BPF_PERCPU(values_array, i).packets; (gdb) info locals bytes_cnt = 0 pkts_cnt = 0 flow_key = {src = {family = 0 '\000', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\000' <repeats 15 times>, address_un_in6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, dst = {family = 0 '\000', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\000' <repeats 15 times>, address_un_in6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, sp = 0, dp = 0, proto = 0 '\000', recursion_level = 0 '\000', vlan_id = {0, 0}} values_array = 0x0 res = 0 flowstats = {count = 0, packets = 0, bytes = 0} mapfd = 7 key = {src = 0, dst = 0, {ports = 0, port16 = {0, 0}}, ip_proto = 0 '\000', vlan0 = 0, vlan1 = 0} next_key = {src = 134744074, dst = 151521290, {ports = 1360321188, port16 = {55972, 20756}}, ip_proto = 1 '\001', vlan0 = 0, vlan1 = 0} found = 0 i = 0 hash_cnt = 1 dead_flow = false
Updated by Eric Leblond about 5 years ago
- Assignee set to Eric Leblond
- Target version set to 5.0.1
If I got it correctly you are running unmodified version of the xdp_filter (no custom define inside) ?
Updated by Eric Leblond about 5 years ago
I did just test in IDS mode (and XDP soft mode) and it seems to behave correctly.
Vincent, could you give a try in XDP soft mode (and IDS mode only) ?
Updated by Vincent Li about 5 years ago
here is only change I made to xdp_filter.c
diff --git a/ebpf/xdp_filter.c b/ebpf/xdp_filter.c index 9ef2d92f7..d1bee8e13 100644 --- a/ebpf/xdp_filter.c +++ b/ebpf/xdp_filter.c @@ -58,7 +58,7 @@ /* no vlan tracking: set it to 0 if you don't use VLAN for tracking. Can * also be used as workaround of some hardware offload issue */ -#define VLAN_TRACKING 1 +#define VLAN_TRACKING 0 struct vlan_hdr { __u16 h_vlan_TCI;
I am still new to suricata, How do I test in IDS mode? just change the copy-mode to ids?
af-packet: - interface: enp4s0f0 threads: auto cluster-id: 99 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f1 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf - interface: enp4s0f1 threads: auto cluster-id: 100 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f0 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
Updated by Vincent Li about 5 years ago
I tested in xdp-mode soft and in IPS mode, still same issue.
since the values_array = 0x0 from the stack trace, it appears the bpf_map_lookup_elem below did not populate values_array in src/util-ebpf.c
824 BPF_DECLARE_PERCPU(struct pair, values_array, tcfg->cpus_count); 825 memset(values_array, 0, sizeof(values_array)); 826 int res = bpf_map_lookup_elem(mapfd, &next_key, values_array); 827 if (res < 0) { 828 SCLogDebug("no entry in v4 table for %d -> %d", key.port16[0], key.port16[1]); 829 key = next_key; 830 continue; 831 } 832 for (i = 0; i < tcfg->cpus_count; i++) { 833 /* let's start accumulating value so we can compute the counters */ 834 SCLogDebug("%d: Adding pkts %lu bytes %lu", i, 835 BPF_PERCPU(values_array, i).packets, 836 BPF_PERCPU(values_array, i).bytes); 837 pkts_cnt += BPF_PERCPU(values_array, i).packets; 838 bytes_cnt += BPF_PERCPU(values_array, i).bytes; 839 }
and the bpf_map_lookup_elem appears coming from ebpf/bpf_helpers.h
static void *(*bpf_map_lookup_elem)(void *map, void *key) = (void *) BPF_FUNC_map_lookup_elem;
I also noticed there is bpf_map_lookup_elem in libbpf src/bpf.c
int bpf_map_lookup_elem(int fd, const void *key, void *value) { union bpf_attr attr; memset(&attr, 0, sizeof(attr)); attr.map_fd = fd; attr.key = ptr_to_u64(key); attr.value = ptr_to_u64(value); return sys_bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr)); }
are the bpf_map_lookup_elem in bpf_helpers.h and libbpf src/bpf.c same ? if not same which one is called?
Updated by Vincent Li about 5 years ago
probably I did not make it clear, the condition to reproduce the issue is:
1, af-packet IPS mode
2, bypass is set to true in af-packet mode
3, xdp_filter attached
4, generate traffic by iperf3 to pass through suricata to create bypassed flows in flow_table_v4 map
5, restart suricata with above 4 conditions
so IDS mode will not apply here
Updated by Victor Julien about 5 years ago
- Target version changed from 5.0.1 to 5.0.2
Updated by Victor Julien almost 5 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
Updated by Victor Julien almost 5 years ago
- Target version changed from 5.0.2 to 5.0.3
Updated by Victor Julien over 4 years ago
- Target version changed from 5.0.3 to TBD
Updated by Eric Leblond almost 4 years ago
I try to reproduce that and failed (using git from 2020/12/27).
Vincent Li wrote in #note-6:
probably I did not make it clear, the condition to reproduce the issue is:
1, af-packet IPS mode
2, bypass is set to true in af-packet mode
3, xdp_filter attached
4, generate traffic by iperf3 to pass through suricata to create bypassed flows in flow_table_v4 map
5, restart suricata with above 4 conditionsso IDS mode will not apply here
Updated by Victor Julien about 2 years ago
- Status changed from Assigned to New
- Assignee changed from Eric Leblond to Community Ticket
- Priority changed from High to Normal