Project

General

Profile

Actions

Support #3484

closed

Suricata restart/reload/quit create 2GB core/core.xxxx file at root directory

Added by Samiux A almost 5 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Suricata 5.0.2 Ubuntu PPA
af-packet IPS mode
runmode : workers/autofp
Ubuntu 18.04.4/20.04-dev

Whenever suricata is restarted/reloaded/quit, a 2GB size file namely core or core.xxxx (where xxxx is numeric, may be pid) will be created at root directory.

How to avoid this?

Actions #1

Updated by Andreas Herz over 4 years ago

How does the coredump look like? it shouldn't dump the core unless there is an issue.

Actions #2

Updated by Samiux A over 4 years ago

Suricata is running smoothly and working properly. However, when the suricata rules reload, a core/core.xxxx file will be created at / directory. The suricata is using root:root rights.

Actions #3

Updated by Samiux A over 4 years ago

One of my custom rule files caused the problem even there is no error when the rules are reloaded.

The questioned custom rule file is disabled and the problem gone.

Please close this thread, thanks.

Actions #4

Updated by Peter Manev over 4 years ago

It should not segfault on reload.
Can you share a reproducible case (custom rules) ?

Actions #5

Updated by Samiux A over 4 years ago

I did not do the further test on the rules file. I suspect the following caused the problem. Mine is af-packet IPS mode.

  1. https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
  2. sid:2221032-3

drop http $HOME_NET any <> 87.106.37.146 8080 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/230238982BSBYKDDH938473938HDUI33/index.php";http_uri;classtype:targeted-activity;sid:2221032;rev:1;)

drop http $HOME_NET any <> 45.79.223.161 443 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/09FGR20HEU738LDF007E848F715BVE.php";http_uri;classtype:targeted-activity;sid:2221033;rev:1;)

Actions #6

Updated by Andreas Herz almost 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF