Support #3484
closed
Suricata restart/reload/quit create 2GB core/core.xxxx file at root directory
Added by Samiux A almost 5 years ago.
Updated almost 3 years ago.
Description
Suricata 5.0.2 Ubuntu PPA
af-packet IPS mode
runmode : workers/autofp
Ubuntu 18.04.4/20.04-dev
Whenever suricata is restarted/reloaded/quit, a 2GB size file namely core or core.xxxx (where xxxx is numeric, may be pid) will be created at root directory.
How to avoid this?
How does the coredump look like? it shouldn't dump the core unless there is an issue.
Suricata is running smoothly and working properly. However, when the suricata rules reload, a core/core.xxxx file will be created at / directory. The suricata is using root:root rights.
One of my custom rule files caused the problem even there is no error when the rules are reloaded.
The questioned custom rule file is disabled and the problem gone.
Please close this thread, thanks.
It should not segfault on reload.
Can you share a reproducible case (custom rules) ?
I did not do the further test on the rules file. I suspect the following caused the problem. Mine is af-packet IPS mode.
- https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
- sid:2221032-3
drop http $HOME_NET any <> 87.106.37.146 8080 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/230238982BSBYKDDH938473938HDUI33/index.php";http_uri;classtype:targeted-activity;sid:2221032;rev:1;)
drop http $HOME_NET any <> 45.79.223.161 443 (msg: "BDS BACKDOOR Emotet Wi-Fi spreader likely";content:"POST";http_method;content:"/09FGR20HEU738LDF007E848F715BVE.php";http_uri;classtype:targeted-activity;sid:2221033;rev:1;)
- Status changed from New to Closed
Also available in: Atom
PDF