Project

General

Profile

Actions
Copy link

Bug #7611

open

Segmentation Fault When Using YAML Configuration with eve-log and stats.totals Output

Added by IDSTower Support 13 days ago. Updated 11 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.8
Effort:
Difficulty:
Label:

Description

I encountered a segmentation fault when running Suricata 7.0.8 in test mode with a configuration that enables eve-log JSON output with stats.totals

Suricata version: 7.0.8 RELEASE

root@suricata-host1:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"

root@suricata-host1:~# uname -a
Linux suricata-host1 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Steps to Reproduce:

1. Create a configuration file with the following content:

%YAML 1.1
---
outputs:
  - eve-log:
      enabled: True
      filetype: regular
      filename: suricata-stats.json
      threaded: false
      types.stats.totals: yes

2. Run Suricata in test mode with this configuration:

root@suricata-host1:~# suricata -T -c /etc/suricata/cluster-config.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:~#

Expected Result:
Suricata should successfully validate the configuration without crashing.

Actual Result:
Suricata crashes with a segmentation fault after initializing the eve-log output device.

Files

Download all files
crash.yaml (177 Bytes) crash.yaml IDSTower Support, 03/15/2025 07:24 AM
build-info.txt (4.37 KB) build-info.txt IDSTower Support, 03/15/2025 07:24 AM
Actions
Copy link
 #1

Updated by Andreas Herz 12 days ago

could you add the full yaml file so it's easier to reproduce?

Also add `suricata --build-info`

Actions
Copy link Download all files
 #2

Updated by IDSTower Support 11 days ago

Andreas Herz wrote in #note-1:

could you add the full yaml file so it's easier to reproduce?

Also add `suricata --build-info`

please find the requested info attached, see how to repreudce below:

root@suricata-host1:/etc/suricata# suricata -T -c /etc/suricata/crash.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:/etc/suricata#
Actions
Copy link

Also available in: Atom PDF