Support #3484
closedSuricata restart/reload/quit create 2GB core/core.xxxx file at root directory
Description
Suricata 5.0.2 Ubuntu PPA
af-packet IPS mode
runmode : workers/autofp
Ubuntu 18.04.4/20.04-dev
Whenever suricata is restarted/reloaded/quit, a 2GB size file namely core or core.xxxx (where xxxx is numeric, may be pid) will be created at root directory.
How to avoid this?
Updated by Andreas Herz almost 5 years ago
How does the coredump look like? it shouldn't dump the core unless there is an issue.
Updated by Samiux A almost 5 years ago
Suricata is running smoothly and working properly. However, when the suricata rules reload, a core/core.xxxx file will be created at / directory. The suricata is using root:root rights.
Updated by Samiux A almost 5 years ago
One of my custom rule files caused the problem even there is no error when the rules are reloaded.
The questioned custom rule file is disabled and the problem gone.
Please close this thread, thanks.
Updated by Peter Manev almost 5 years ago
It should not segfault on reload.
Can you share a reproducible case (custom rules) ?
Updated by Samiux A almost 5 years ago
I did not do the further test on the rules file. I suspect the following caused the problem. Mine is af-packet IPS mode.
drop http $HOME_NET any <> 87.106.37.146 8080 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/230238982BSBYKDDH938473938HDUI33/index.php";http_uri;classtype:targeted-activity;sid:2221032;rev:1;)
drop http $HOME_NET any <> 45.79.223.161 443 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/09FGR20HEU738LDF007E848F715BVE.php";http_uri;classtype:targeted-activity;sid:2221033;rev:1;)
Updated by Andreas Herz almost 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs