https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022012-01-28T11:48:35ZOpen Information Security FoundationSuricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15392012-01-28T11:48:35ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Hi ,<br />Would you please provide the following:<br />1. pcap - or at least a link towards the pcap, if available (the smaller the better, as long as we can reproduce the issue)<br />2. suricata.yaml <br />3. The way you use/start suricata (like, do you use pfring,nfqueue....)<br />4. I assume we are talking about - <a class="external" href="http://ictf.cs.ucsb.edu/index.php">http://ictf.cs.ucsb.edu/index.php</a> - correct ?</p>
<p>Thank you</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15402012-01-29T02:50:43ZGiovanni Tedaldit3ddy1988@gmail.com
<ul></ul><p>1. It's a 23Gb archive and I've had to tcprewrite them to add ethernet layer <a class="external" href="http://ictf.cs.ucsb.edu/data/ictf2010/ictf2010pcap.tar.gz">http://ictf.cs.ucsb.edu/data/ictf2010/ictf2010pcap.tar.gz</a><br />2. <a class="external" href="http://pastebin.com/1V6jGyss">http://pastebin.com/1V6jGyss</a><br />3. suricata -c /etc/suricata/suricata.yaml -i vmnet1</p>
<p>To make the problem appear soon I use -t flag in tcpreplay.</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15412012-01-29T03:05:15ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Ok,</p>
<p>When you did tcprewrite L2 - what exactly did you rewrite - vlan, src/dst MAC addresses ..?</p>
<p>Thanks</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15422012-01-29T03:20:51ZGiovanni Tedaldit3ddy1988@gmail.com
<ul></ul><p>I've used: tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i $i -o $o.pcap<br />Since the original dlt is raw and it was giving me troubles.</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15432012-01-29T03:24:19ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Hi Giovanni,</p>
<p>I will try to reproduce the issue and get back to you.</p>
<p>Thanks</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15522012-01-30T09:45:58ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Peter Manev</i></li><li><strong>Target version</strong> set to <i>1.3beta1</i></li><li><strong>Estimated time</strong> set to <i>4.00 h</i></li></ul> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15692012-02-03T10:08:18ZGiovanni Tedaldit3ddy1988@gmail.com
<ul></ul><p>I've compiled suricata with --enable-debug and, this time, I also remebered to add the option !strip.<br />Here's the backtrace:</p>
<p>#0 0x00007f0eb6459be4 in __memcpy_ssse3_back () from /lib/libc.so.6<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: within doesn't respect distance while carrying out a match (Closed)" href="https://redmine.openinfosecfoundation.org/issues/1">#1</a> 0x0000000000525cb7 in FileDataAlloc ()<br /><a class="issue tracker-2 status-5 priority-3 priority-lowest closed" title="Feature: The engine needs the ability to run in daemon mode. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/2">#2</a> 0x00000000005272c4 in FileOpenFile ()<br /><a class="issue tracker-1 status-5 priority-3 priority-lowest closed" title="Bug: pcap_dispatch blocks on exit if no traffic is seen. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/3">#3</a> 0x000000000058ee5c in HTPFileOpen ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: DetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses (Closed)" href="https://redmine.openinfosecfoundation.org/issues/4">#4</a> 0x000000000058a0a0 in HtpRequestBodyHandleMultipart ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Multi-line rules do not work in the OISF engine. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/5">#5</a> 0x000000000058bddb in HTPCallbackRequestBodyData ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: The Logging subsystem does not perform proper bounds checking on msg strings (Closed)" href="https://redmine.openinfosecfoundation.org/issues/6">#6</a> 0x00007f0eb75e0507 in hook_run_all (hook=0x52b0af0, data=0x7f0eb49cd710) at hooks.c:136<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Unifed* File Rollover Causes Segmentation Fault (Closed)" href="https://redmine.openinfosecfoundation.org/issues/7">#7</a> 0x00007f0eb75e5eb4 in htp_connp_REQ_BODY_IDENTITY (connp=0x7f0e2290c3d0) at htp_request.c:239<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: engine fails to match when fast_pattern rule is inspecting the same payload as a non-fast_pattern... (Closed)" href="https://redmine.openinfosecfoundation.org/issues/8">#8</a> 0x00007f0eb75e6f21 in htp_connp_req_data (connp=0x7f0e2290c3d0, timestamp=<optimized out>, data=<optimized out>, len=<optimized out>) at htp_request.c:839<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: rules containing the same content match do not fire. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/9">#9</a> 0x00000000005885cd in HTPHandleRequestData ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: flags:0; alerts when it shoudn't (Closed)" href="https://redmine.openinfosecfoundation.org/issues/10">#10</a> 0x000000000057a882 in AppLayerDoParse ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: negated content matches don't work when ! is outside of "" (Closed)" href="https://redmine.openinfosecfoundation.org/issues/11">#11</a> 0x000000000057f852 in AppLayerParse ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Negated pcre treated as a normal match (Closed)" href="https://redmine.openinfosecfoundation.org/issues/12">#12</a> 0x000000000057790f in AppLayerHandleTCPData ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Depth is not modified by offset (Closed)" href="https://redmine.openinfosecfoundation.org/issues/13">#13</a> 0x0000000000560ed1 in StreamTcpReassembleAppLayer.isra.7 ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: UnifiedAlertTestRotate01 segfault (Closed)" href="https://redmine.openinfosecfoundation.org/issues/14">#14</a> 0x0000000000562afd in StreamTcpReassembleHandleSegmentUpdateACK ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Unclear error messages on engine startup failure if /var/log/eipds doesn't exist (Closed)" href="https://redmine.openinfosecfoundation.org/issues/15">#15</a> 0x000000000056830f in StreamTcpReassembleHandleSegment ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: rand needs to be seeded when used in the engine (Closed)" href="https://redmine.openinfosecfoundation.org/issues/16">#16</a> 0x000000000054d661 in StreamTcpPacketStateEstablished ()<br /><a class="issue tracker-1 status-5 priority-5 priority-high3 closed behind-schedule" title="Bug: Segv inside of chunked http response body parsing (Closed)" href="https://redmine.openinfosecfoundation.org/issues/17">#17</a> 0x000000000055952c in StreamTcpPacket ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: unclear error message when user fails to specify a conf file (Closed)" href="https://redmine.openinfosecfoundation.org/issues/18">#18</a> 0x000000000055b128 in StreamTcp ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: logging api month is off by one (Closed)" href="https://redmine.openinfosecfoundation.org/issues/19">#19</a> 0x0000000000529655 in TmThreadsSlotVarRun ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Engine segv's when proccessing gzip'd http responses on 64-bit hosts. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/20">#20</a> 0x000000000052c2b3 in TmThreadsSlotVar ()<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Segv when trying processing rule with http_cookie modifier but no cookie header present in packet. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/21">#21</a> 0x00007f0eb6b4ee7a in start_thread () from /lib/libpthread.so.0<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Engine infinitely prints whitespace when processing the smb traffic in the attached pcap. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/22">#22</a> 0x00007f0eb640fb7d in clone () from /lib/libc.so.6<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: Segv occurs occasionally inside of DetectHttpCookieMatch (Closed)" href="https://redmine.openinfosecfoundation.org/issues/23">#23</a> 0x0000000000000000 in ?? ()</p>
<p>I hope it helps.</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15702012-02-03T10:14:46ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Hi,<br />Any particualr pcap number that you have the crush on? - have you noticed ?</p>
<p>thanks</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15712012-02-03T10:44:50ZGiovanni Tedaldit3ddy1988@gmail.com
<ul></ul><p>I've made a few tests.<br />It seems to be 6.pcap, the original name (the one it has before tcprewriting) should be ictf2010.pcap6</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15722012-02-03T12:04:39ZGiovanni Tedaldit3ddy1988@gmail.com
<ul></ul><p>Using: "sudo tcpreplay -t -L 369350 -i vmnet1 6.pcap" makes suricata crash, while: "sudo tcpreplay -t -L 369300 -i vmnet1 6.pcap" don't.<br />Although using only those 50 packets doesn't crash suricata, so I guess it's a mix of speed and packets, a sort of letal mix.</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15942012-03-02T09:20:24ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>Hey Giovani,</p>
<p>The issue has been fixed in the latest master.</p> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=15962012-03-02T10:33:18ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Resolved</i></li></ul> Suricata - Bug #407: Suricata crasheshttps://redmine.openinfosecfoundation.org/issues/407?journal_id=16012012-03-14T05:03:23ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul>