Project

General

Profile

Actions

Bug #4109

closed

mac address logging crash

Added by Jan Hugo Prins over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
medium
Label:

Description

context:
I have 3 servers running both Zeek and Suricata using a zbalance_ipc setup.
To make this work I compiled Suricata with pfring support and installed the pfring_zc drivers on the servers.
Zeek has been running like this for more then 2 years now, but Suricata has not been able to stay online more then a few hours.

Versions:
PFRing_ZC: 7.9.0-3263
Suricata: 6.0.0

suricata --build-info
This is Suricata version 6.0.0 RELEASE
Features: NFQ PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-39), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.35, linked against LibHTP v0.5.35

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: yes
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: yes
Non-bundled htp: no
Old barnyard2 support:
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Rust support:                            yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.47.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.47.0
Cargo vendor: yes
Python support:                          yes
Python path: /usr/bin/python2.7
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled:                       no
Profiling locks enabled: no
Plugin support (experimental):           yes

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix                                 /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host:                                    x86_64-redhat-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -std=gnu99 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

The error in my journallog:
idsprobe03.ids.be.nl kernel: W#01-zc:0@34145: segfault at 130 ip 0000562e96ebfc08 sp 00007f6d026c1418 error 4 in suricata[562e96c9b000+61c000]

The error in the Suricata systemd journal:
Nov 04 16:06:36 idsprobe03.ids.be.nl systemd1: : main process exited, code=killed, status=11/SEGV
Nov 04 16:06:36 idsprobe03.ids.be.nl systemd1: Unit entered failed state.
Nov 04 16:06:36 idsprobe03.ids.be.nl systemd1: failed.


Files

debug_output_core4695.txt (19.6 KB) debug_output_core4695.txt Jan Hugo Prins, 11/04/2020 05:55 PM
debug_output_core4697.txt (19.7 KB) debug_output_core4697.txt Jan Hugo Prins, 11/04/2020 05:55 PM
valgrind.log (10.8 KB) valgrind.log Jan Hugo Prins, 11/05/2020 07:44 PM
weird_packet_bgp01.pcap (570 Bytes) weird_packet_bgp01.pcap packets with truncated headers Jan Hugo Prins, 11/07/2020 03:22 AM
ethernet-metadata-packet-context.patch (2.25 KB) ethernet-metadata-packet-context.patch Sascha Steinbiss, 11/08/2020 12:03 PM
gdb_dump_core-W#01-zc_0@2-11-993-990-442-1604842672 (20 KB) gdb_dump_core-W#01-zc_0@2-11-993-990-442-1604842672 Jan Hugo Prins, 11/08/2020 03:01 PM
gdb_dump_core-W#01-11-993-990-12096-1604846259 (13.9 KB) gdb_dump_core-W#01-11-993-990-12096-1604846259 Jan Hugo Prins, 11/08/2020 03:01 PM
core-W#01-zc_0@2-11-993-990-442-1604842672.pcap (176 Bytes) core-W#01-zc_0@2-11-993-990-442-1604842672.pcap Jan Hugo Prins, 11/08/2020 03:01 PM
Actions

Also available in: Atom PDF