Project

General

Profile

Actions

Bug #7815

closed

Suricata 8.0.0 segfault when receiving "pcap-file-list" command

Added by Andrea De Pasquale 27 days ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 8.0.0 segfaults when after the 2nd "pcap-file-list" command.

Running in pcap mode (no interfaces) and unix-socket enabled.

With suricata running, I can reproduce the segfault with this command:

# for x in {1..3}; do rm -rf /tmp/$x; mkdir /tmp/$x; chown suricata:suricata /tmp/$x; echo "Submitting PCAP $x"; suricatasc -c "pcap-file /recording.pcap /tmp/$x"; suricatasc -c "pcap-file-list"; suricatasc -c "pcap-current"; echo; sleep 1; done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording.pcap","return":"OK"}

Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`

Submitting PCAP 3
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`

Core dump:

(gdb) frame 0
#0  OutputTxLoggerGetActiveCount () at output-tx.c:632
632             for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
(gdb) list
627
628     static uint32_t OutputTxLoggerGetActiveCount(void)
629     {
630         uint32_t cnt = 0;
631         for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
632             for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
633                 cnt++;
634             }
635         }
636
(gdb) bt
#0  OutputTxLoggerGetActiveCount () at output-tx.c:632
#1  0x000055dc01d2ba24 in OutputSetupActiveLoggers () at output.c:907
#2  0x000055dc01d35ac2 in RunModeInitializeOutputs () at runmodes.c:946
#3  0x000055dc01c40e17 in PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2322
#4  PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2315
#5  0x000055dc01d31497 in UnixSocketPcapFilesCheck (data=0x7f8db8f39c80) at runmode-unix-socket.c:546
#6  0x000055dc01c4bcde in UnixCommandBackgroundTasks (this=0x55dc03939b20 <command>) at unix-manager.c:443
#7  UnixManager (th_v=0x7f8db44d6dc0, thread_data=<optimized out>) at unix-manager.c:1179
#8  0x000055dc01c4640a in TmThreadsManagement (td=0x7f8db44d6dc0) at tm-threads.c:571
#9  0x00007f8dc2247aa4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00007f8dc22d4c3c in ?? () from /lib/x86_64-linux-gnu/libc.so.6

Build info:

This is Suricata version 8.0.0 RELEASE
Features: DEBUG PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 13.3.0, C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v8.0.0

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no
  Npcap support:                           

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  GeoIP2 support:                          no
  JA3 support:                             yes
  JA4 support:                             yes
  Hyperscan support:                       no
  Hwloc support:                           no
  Libnet support:                          yes
  liblz4 support:                          no
  Landlock support:                        yes
  Systemd support:                         yes

  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.75.0 (82e1608df 2023-12-21) (built from a source tarball)
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.75.0

  Python support:                          yes
  Python path:                             /opt/venv/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Plugins:
  nDPI:                                    no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    yes
  Debug validation enabled:                no
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
  PCAP_CFLAGS                              -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/libnl3 
  SECCFLAGS 


Files

suricata.yaml (10.1 KB) suricata.yaml Andrea De Pasquale, 07/16/2025 02:46 PM
Actions #1

Updated by Andrea De Pasquale 27 days ago

With this patch, the segfault can be avoided. Not sure it's an appropriate fix though.

diff --git a/src/output-tx.c b/src/output-tx.c
index b5a1852fa..d6a50eba2 100644
--- a/src/output-tx.c
+++ b/src/output-tx.c
@@ -627,6 +627,10 @@ static TmEcode OutputTxLogThreadDeinit(ThreadVars *tv, void *thread_data)

 static uint32_t OutputTxLoggerGetActiveCount(void)
 {
+    if (list == NULL) {
+        return 0;
+    }
+
     uint32_t cnt = 0;
     for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
         for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
Actions #2

Updated by Victor Julien 27 days ago

  • Target version changed from TBD to 8.0.1
Actions #3

Updated by Philippe Antoine 23 days ago

  • Status changed from New to Feedback

I do not reproduce :

Running

./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol1";
./rust/target/release/suricatasc -c "pcap-file-list";
./rust/target/release/suricatasc -c "pcap-current";
sleep 1;
./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol2";
./rust/target/release/suricatasc -c "pcap-file-list";

I get

{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"domtest.pcap","return":"OK"}
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}

I think there is a bug coming from UnixSocketPcapFilesCheck but only when we satisfy condition if ((unix_manager_pcap_task_failed 1) || (this->running 1))

Could you share some verbose logs produced by Suricata when running this ?

Actions #4

Updated by Andrea De Pasquale 23 days ago

Here are the -vvv logs. If you can't repro maybe try reducing/increasing the sleep time?

Updated command using numbered pcaps for better visibility in the logs:

# for x in {1..2}; do
        rm -rf /tmp/$x
        mkdir /tmp/$x
        chown suricata:suricata /tmp/$x
        echo "Submitting PCAP $x" 
        cp /recording.pcap /recording$x.pcap
        suricatasc -c "pcap-file /recording$x.pcap /tmp/$x" 
        suricatasc -c "pcap-file-list" 
        suricatasc -c "pcap-current" 
        echo
        sleep 1
done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording1.pcap","return":"OK"}

Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`

[35] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
[35] Info: cpu: CPUs/cores online: 16
[35] Info: suricata: Setting engine mode to IDS mode by default
[35] Info: exception-policy: master exception-policy set to: auto
[35] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch)
[35] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864
[35] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864
[35] Config: smb: guid: max cache size: 1024
[35] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3.
[35] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[35] Config: host: preallocated 1000 hosts of size 120
[35] Config: host: host memory usage: 382144 bytes, maximum: 33554432
[35] Config: coredump-config: Core dump size is unlimited.
[35] Config: landlock: Landlock is not enabled in configuration
[35] Config: suricata: Delayed detect disabled
[35] Config: detect: pattern matchers: MPM: ac, SPM: bm
[35] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[35] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060
[35] Config: detect: prefilter engines: MPM
[35] Config: reputation: IP reputation disabled
[35] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules
[35] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped
[35] Info: threshold-config: Threshold config parsed: 0 rule(s) found
[35] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only
[35] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete
[35] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies
[35] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[35] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies
[35] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies
[35] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[35] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[35] Perf: detect: Unique rule groups: 121
[35] Perf: detect: Builtin MPM "toserver TCP packet": 30
[35] Perf: detect: Builtin MPM "toclient TCP packet": 17
[35] Perf: detect: Builtin MPM "toserver TCP stream": 29
[35] Perf: detect: Builtin MPM "toclient TCP stream": 16
[35] Perf: detect: Builtin MPM "toserver UDP packet": 37
[35] Perf: detect: Builtin MPM "toclient UDP packet": 19
[35] Perf: detect: Builtin MPM "other IP packet": 3
[35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16
[35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16
[35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16
[35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8
[35] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16
[35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16
[35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16
[35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[35] Perf: detect: AppLayer MPM "toserver http_header (http)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (http)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10
[35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10
[35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8
[35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11
[35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8
[35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11
[35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[35] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[35] Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[35] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[35] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[35] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8
[35] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[35] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17
[35] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17
[35] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17
[35] Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[35] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4
[35] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[35] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5
[35] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5
[35] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4
[35] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4
[35] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[35] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[35] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1
[35] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1
[35] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[35] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[35] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[35] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[35] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1
[35] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1
[35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (http)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (http)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20
[35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2
[35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20
[35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
[35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
[35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4
[35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2
[35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4
[35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[35] Perf: detect: Pkt MPM "icmpv6.hdr": 1
[35] Perf: detect: Pkt MPM "ipv6.hdr": 1
[35] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer
[35] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[35] Notice: threads: Threads created ->   Engine started.

[54] Info: unix-socket: Added file '/recording1.pcap' to list
[54] Info: unix-socket: pcap-file.tenant-id not set
[54] Info: unix-socket: Starting run for '/recording1.pcap'
[54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48
[54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144
[54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432
[54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6
[54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread)
[54] Config: stream-tcp: stream "memcap": 67108864
[54] Config: stream-tcp: stream "midstream" session pickups: disabled
[54] Config: stream-tcp: stream "async-oneside": disabled
[54] Config: stream-tcp: stream "checksum-validation": disabled
[54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: stream-tcp: stream."inline": disabled
[54] Config: stream-tcp: stream "bypass": disabled
[54] Config: stream-tcp: stream.reassembly.urgent.policy": oob
[54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop
[54] Config: stream-tcp: stream "max-syn-queued": 10
[54] Config: stream-tcp: stream "max-synack-queued": 5
[54] Config: stream-tcp: stream.reassembly "memcap": 268435456
[54] Config: stream-tcp: stream.reassembly "depth": 1048576
[54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096
[54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384
[54] Config: stream-tcp: stream.reassembly.raw: enabled
[54] Config: stream-tcp: stream.liberal-timestamps: disabled
[54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048
[54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8
[54] Config: logopenfile: Setting output to /tmp/1/eve.json non-buffered
[54] Info: logopenfile: eve-log output device (regular) initialized: eve.json
[54] Config: runmodes: enabling 'eve-log' module 'alert'
[54] Config: runmodes: enabling 'eve-log' module 'frame'
[54] Config: runmodes: enabling 'eve-log' module 'anomaly'
[54] Config: runmodes: enabling 'eve-log' module 'http'
[54] Config: runmodes: enabling 'eve-log' module 'dns'
[54] Config: runmodes: enabling 'eve-log' module 'mdns'
[54] Config: runmodes: enabling 'eve-log' module 'tls'
[54] Config: runmodes: enabling 'eve-log' module 'files'
[54] Config: runmodes: enabling 'eve-log' module 'smtp'
[54] Config: runmodes: enabling 'eve-log' module 'websocket'
[54] Config: runmodes: enabling 'eve-log' module 'ftp'
[54] Config: runmodes: enabling 'eve-log' module 'rdp'
[54] Config: runmodes: enabling 'eve-log' module 'nfs'
[54] Config: runmodes: enabling 'eve-log' module 'smb'
[54] Config: runmodes: enabling 'eve-log' module 'tftp'
[54] Config: runmodes: enabling 'eve-log' module 'ike'
[54] Config: runmodes: enabling 'eve-log' module 'dcerpc'
[54] Config: runmodes: enabling 'eve-log' module 'krb5'
[54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[54] Config: runmodes: enabling 'eve-log' module 'snmp'
[54] Config: runmodes: enabling 'eve-log' module 'rfb'
[54] Config: runmodes: enabling 'eve-log' module 'sip'
[54] Config: runmodes: enabling 'eve-log' module 'quic'
[54] Config: runmodes: enabling 'eve-log' module 'ldap'
[54] Config: runmodes: enabling 'eve-log' module 'pop3'
[54] Config: runmodes: enabling 'eve-log' module 'arp'
[54] Config: runmodes: enabling 'eve-log' module 'dhcp'
[54] Config: runmodes: enabling 'eve-log' module 'ssh'
[54] Config: runmodes: enabling 'eve-log' module 'mqtt'
[54] Config: runmodes: enabling 'eve-log' module 'http2'
[54] Config: runmodes: enabling 'eve-log' module 'doh2'
[54] Config: runmodes: enabling 'eve-log' module 'pgsql'
[54] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer
[54] Info: pcap: Pcap-file will use 4194304 buffer size
[54] Config: flow-manager: using 1 flow manager threads
[54] Config: flow-manager: using 1 flow recycler threads
[54] Config: log-flush: log flusher thread not used with heartbeat.output-flush-interval of 0
[61] Info: pcap: Starting file run for /recording1.pcap
[61] Info: pcap: pcap file /recording1.pcap end of file reached (pcap err code 0)
[61] Info: unix-socket: Marking current task as done
[54] Info: unix-socket: Resetting engine state
[79] Perf: flow-manager: 0 flows processed
[61] Notice: pcap: read 1 file, 3139 packets, 2369355 bytes
[54] Perf: tmqh-flow: AutoFP - Total flow handler queues - 16
[62] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[63] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[64] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[65] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[66] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[67] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[68] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[69] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[70] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[71] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[72] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[73] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[74] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[75] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[76] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[77] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0
[54] Perf: ippair: ippair memory usage: 398144 bytes, maximum: 16777216

[54] Info: unix-socket: Added file '/recording2.pcap' to list
[54] Info: unix-socket: pcap-file.tenant-id not set
[54] Info: unix-socket: Starting run for '/recording2.pcap'
[54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48
[54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144
[54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432
[54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6
[54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread)
[54] Config: stream-tcp: stream "memcap": 67108864
[54] Config: stream-tcp: stream "midstream" session pickups: disabled
[54] Config: stream-tcp: stream "async-oneside": disabled
[54] Config: stream-tcp: stream "checksum-validation": disabled
[54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch)
[54] Config: stream-tcp: stream."inline": disabled
[54] Config: stream-tcp: stream "bypass": disabled
[54] Config: stream-tcp: stream.reassembly.urgent.policy": oob
[54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop
[54] Config: stream-tcp: stream "max-syn-queued": 10
[54] Config: stream-tcp: stream "max-synack-queued": 5
[54] Config: stream-tcp: stream.reassembly "memcap": 268435456
[54] Config: stream-tcp: stream.reassembly "depth": 1048576
[54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096
[54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384
[54] Config: stream-tcp: stream.reassembly.raw: enabled
[54] Config: stream-tcp: stream.liberal-timestamps: disabled
[54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048
[54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8
[54] Config: logopenfile: Setting output to /tmp/2/eve.json non-buffered
[54] Info: logopenfile: eve-log output device (regular) initialized: eve.json
[54] Config: runmodes: enabling 'eve-log' module 'alert'
[54] Config: runmodes: enabling 'eve-log' module 'frame'
[54] Config: runmodes: enabling 'eve-log' module 'anomaly'
[54] Config: runmodes: enabling 'eve-log' module 'http'
[54] Config: runmodes: enabling 'eve-log' module 'dns'
[54] Config: runmodes: enabling 'eve-log' module 'mdns'
[54] Config: runmodes: enabling 'eve-log' module 'tls'
[54] Config: runmodes: enabling 'eve-log' module 'files'
[54] Config: runmodes: enabling 'eve-log' module 'smtp'
[54] Config: runmodes: enabling 'eve-log' module 'websocket'
[54] Config: runmodes: enabling 'eve-log' module 'ftp'
[54] Config: runmodes: enabling 'eve-log' module 'rdp'
[54] Config: runmodes: enabling 'eve-log' module 'nfs'
[54] Config: runmodes: enabling 'eve-log' module 'smb'
[54] Config: runmodes: enabling 'eve-log' module 'tftp'
[54] Config: runmodes: enabling 'eve-log' module 'ike'
[54] Config: runmodes: enabling 'eve-log' module 'dcerpc'
[54] Config: runmodes: enabling 'eve-log' module 'krb5'
[54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[54] Config: runmodes: enabling 'eve-log' module 'snmp'
[54] Config: runmodes: enabling 'eve-log' module 'rfb'
[54] Config: runmodes: enabling 'eve-log' module 'sip'
[54] Config: runmodes: enabling 'eve-log' module 'quic'
[54] Config: runmodes: enabling 'eve-log' module 'ldap'
[54] Config: runmodes: enabling 'eve-log' module 'pop3'
[54] Config: runmodes: enabling 'eve-log' module 'arp'
[54] Config: runmodes: enabling 'eve-log' module 'dhcp'
[54] Config: runmodes: enabling 'eve-log' module 'ssh'
[54] Config: runmodes: enabling 'eve-log' module 'mqtt'
[54] Config: runmodes: enabling 'eve-log' module 'http2'
[54] Config: runmodes: enabling 'eve-log' module 'doh2'
[54] Config: runmodes: enabling 'eve-log' module 'pgsql'

<SIGSEGV>

[98] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
[98] Info: cpu: CPUs/cores online: 16
[98] Info: suricata: Setting engine mode to IDS mode by default
[98] Info: exception-policy: master exception-policy set to: auto
[98] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch)
[98] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864
[98] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864
[98] Config: smb: guid: max cache size: 1024
[98] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3.
[98] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[98] Config: host: preallocated 1000 hosts of size 120
[98] Config: host: host memory usage: 382144 bytes, maximum: 33554432
[98] Config: coredump-config: Core dump size is unlimited.
[98] Config: landlock: Landlock is not enabled in configuration
[98] Config: suricata: Delayed detect disabled
[98] Config: detect: pattern matchers: MPM: ac, SPM: bm
[98] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[98] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060
[98] Config: detect: prefilter engines: MPM
[98] Config: reputation: IP reputation disabled
[98] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules
[98] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped
[98] Info: threshold-config: Threshold config parsed: 0 rule(s) found
[98] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only
[98] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete
[98] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies
[98] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[98] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies
[98] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies
[98] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[98] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[98] Perf: detect: Unique rule groups: 121
[98] Perf: detect: Builtin MPM "toserver TCP packet": 30
[98] Perf: detect: Builtin MPM "toclient TCP packet": 17
[98] Perf: detect: Builtin MPM "toserver TCP stream": 29
[98] Perf: detect: Builtin MPM "toclient TCP stream": 16
[98] Perf: detect: Builtin MPM "toserver UDP packet": 37
[98] Perf: detect: Builtin MPM "toclient UDP packet": 19
[98] Perf: detect: Builtin MPM "other IP packet": 3
[98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16
[98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16
[98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16
[98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8
[98] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16
[98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16
[98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16
[98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[98] Perf: detect: AppLayer MPM "toserver http_header (http)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (http)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10
[98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10
[98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8
[98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11
[98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8
[98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11
[98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[98] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[98] Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[98] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[98] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[98] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8
[98] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[98] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17
[98] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17
[98] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17
[98] Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[98] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4
[98] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[98] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5
[98] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5
[98] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4
[98] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4
[98] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[98] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[98] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1
[98] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1
[98] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[98] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[98] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[98] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[98] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1
[98] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1
[98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (http)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (http)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20
[98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2
[98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20
[98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
[98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
[98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4
[98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2
[98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4
[98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[98] Perf: detect: Pkt MPM "icmpv6.hdr": 1
[98] Perf: detect: Pkt MPM "ipv6.hdr": 1
[98] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer
[98] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[98] Notice: threads: Threads created ->   Engine started.
Actions #5

Updated by Jeff Lucovsky 22 days ago

I'm trying to reproduce the issue. Can you post the exact command line used to launch suricata?

Actions #6

Updated by Andrea De Pasquale 22 days ago

Sure. The command is:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile /tmp/suricata.pid -vvv

Actions #7

Updated by Jeff Lucovsky 22 days ago

Can you post the pcap file?

It's still not crashing for me

Actions #8

Updated by Andrea De Pasquale 22 days ago

It's not pcap-file dependent. I tried multiple files. I can reproduce it with a PCAP containing a simple HTTP request to example.com

Actions #9

Updated by Andrea De Pasquale 22 days ago

It may be the config file? Attaching that here

Actions #10

Updated by Jeff Lucovsky 22 days ago ยท Edited

I'm using this command line --

./src/suricata -c suricata.yaml -l /tmp/ll --unix-socket -S suricata.rules

suricata.rules is the ET Pro ruleset

It's not repro'ing on my setup (8.0, et/pro) and a pcap that I can't share.


I'll look at the @suricata.yaml@ file you posted and see if there's anything causing the faults.
Actions #11

Updated by Philippe Antoine 22 days ago

What is this <SIGSEGV> in the middle of the logs ? Could you run suricata with ASAN ?

Actions #12

Updated by Andrea De Pasquale 21 days ago

<SIGSEGV> was just a placeholder that I added instead of a segmentation fault / core dumped message.

Here's the output of ASan. It contains pretty much the same info I posted when I opened the ticket, with perhaps some additional context on when the thread was created.

[2228521] Config: logopenfile: Setting output to /tmp/lol2/eve.json non-buffered
[2228521] Info: logopenfile: eve-log output device (regular) initialized: eve.json
[2228521] Config: runmodes: enabling 'eve-log' module 'alert'
[2228521] Config: runmodes: enabling 'eve-log' module 'frame'
[2228521] Config: runmodes: enabling 'eve-log' module 'anomaly'
[2228521] Config: runmodes: enabling 'eve-log' module 'http'
[2228521] Config: runmodes: enabling 'eve-log' module 'dns'
[2228521] Config: runmodes: enabling 'eve-log' module 'mdns'
[2228521] Config: runmodes: enabling 'eve-log' module 'tls'
[2228521] Config: runmodes: enabling 'eve-log' module 'files'
[2228521] Config: runmodes: enabling 'eve-log' module 'smtp'
[2228521] Config: runmodes: enabling 'eve-log' module 'websocket'
[2228521] Config: runmodes: enabling 'eve-log' module 'ftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rdp'
[2228521] Config: runmodes: enabling 'eve-log' module 'nfs'
[2228521] Config: runmodes: enabling 'eve-log' module 'smb'
[2228521] Config: runmodes: enabling 'eve-log' module 'tftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ike'
[2228521] Config: runmodes: enabling 'eve-log' module 'dcerpc'
[2228521] Config: runmodes: enabling 'eve-log' module 'krb5'
[2228521] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[2228521] Config: runmodes: enabling 'eve-log' module 'snmp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rfb'
[2228521] Config: runmodes: enabling 'eve-log' module 'sip'
[2228521] Config: runmodes: enabling 'eve-log' module 'quic'
[2228521] Config: runmodes: enabling 'eve-log' module 'ldap'
[2228521] Config: runmodes: enabling 'eve-log' module 'pop3'
[2228521] Config: runmodes: enabling 'eve-log' module 'arp'
[2228521] Config: runmodes: enabling 'eve-log' module 'dhcp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ssh'
[2228521] Config: runmodes: enabling 'eve-log' module 'mqtt'
[2228521] Config: runmodes: enabling 'eve-log' module 'http2'
[2228521] Config: runmodes: enabling 'eve-log' module 'doh2'
[2228521] Config: runmodes: enabling 'eve-log' module 'pgsql'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2228520==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f61b5624c0 bp 0x7f7a5f7d2460 sp 0x7f7a5f7d2450 T1)
==2228520==The signal is caused by a READ memory access.
==2228520==Hint: address points to the zero page.
    #0 0x55f61b5624c0 in OutputTxLoggerGetActiveCount /some/directory/OISF/suricata/src/output-tx.c
    #1 0x55f61b565d6a in OutputSetupActiveLoggers /some/directory/OISF/suricata/src/output.c:907:24
    #2 0x55f61b57c854 in RunModeInitializeOutputs /some/directory/OISF/suricata/src/runmodes.c:946:5
    #3 0x55f61b33cbe2 in PreRunPostPrivsDropInit /some/directory/OISF/suricata/src/suricata.c:2322:5
    #4 0x55f61b578dd8 in UnixSocketPcapFilesCheck /some/directory/OISF/suricata/src/runmode-unix-socket.c:546:5
    #5 0x55f61b353b82 in UnixCommandBackgroundTasks /some/directory/OISF/suricata/src/unix-manager.c:443:20
    #6 0x55f61b353b82 in UnixManager /some/directory/OISF/suricata/src/unix-manager.c:1179:9
    #7 0x55f61b34b4f7 in TmThreadsManagement /some/directory/OISF/suricata/src/tm-threads.c:571:9
    #8 0x7f7a625711f4 in start_thread nptl/./nptl/pthread_create.c:442:8
    #9 0x7f7a625f189b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /some/directory/OISF/suricata/src/output-tx.c in OutputTxLoggerGetActiveCount
Thread T1 (US) created by T0 (Suricata-Main) here:
    #0 0x55f61b2e504c in __interceptor_pthread_create (/some/directory/OISF/suricata/src/suricata+0x95a04c) (BuildId: 1796ed4efbe3fc9cab644e301fd8a71f06bc05b7)
    #1 0x55f61b3472f2 in TmThreadSpawn /some/directory/OISF/suricata/src/tm-threads.c:1745:14
    #2 0x55f61b3522e1 in UnixManagerThreadSpawn /some/directory/OISF/suricata/src/unix-manager.c:1202:9
    #3 0x55f61b573c41 in RunModeUnixSocketMaster /some/directory/OISF/suricata/src/runmode-unix-socket.c:1779:5
    #4 0x55f61b57a497 in RunModeDispatch /some/directory/OISF/suricata/src/runmodes.c:442:5
    #5 0x55f61b3402ec in SuricataInit /some/directory/OISF/suricata/src/suricata.c:3091:5
    #6 0x55f61b336984 in main /some/directory/OISF/suricata/src/main.c:57:5
    #7 0x7f7a6250f249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

==2228520==ABORTING
Actions #13

Updated by Philippe Antoine 20 days ago

I am reproducing with supplied suricata.yaml, and it is not reproducing with the default suricata.yaml

Actions #14

Updated by Philippe Antoine 20 days ago

Minmized reproducer

%YAML 1.1
---

outputs:
  - eve-log:
      enabled: true
      types:
        - alert
Actions #15

Updated by Philippe Antoine 20 days ago

Not affecting 7.0.11 (this seems due to making things dynamic in 8)

Actions #16

Updated by Philippe Antoine 20 days ago

  • Status changed from Feedback to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
Actions #17

Updated by Jason Ish 3 days ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF