Actions
Bug #7815
closedunix-socket: segfault in "pcap-file-list" command
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata 8.0.0 segfaults when after the 2nd "pcap-file-list" command.
Running in pcap mode (no interfaces) and unix-socket enabled.
With suricata running, I can reproduce the segfault with this command:
# for x in {1..3}; do rm -rf /tmp/$x; mkdir /tmp/$x; chown suricata:suricata /tmp/$x; echo "Submitting PCAP $x"; suricatasc -c "pcap-file /recording.pcap /tmp/$x"; suricatasc -c "pcap-file-list"; suricatasc -c "pcap-current"; echo; sleep 1; done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording.pcap","return":"OK"}
Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Submitting PCAP 3
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Core dump:
(gdb) frame 0
#0 OutputTxLoggerGetActiveCount () at output-tx.c:632
632 for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
(gdb) list
627
628 static uint32_t OutputTxLoggerGetActiveCount(void)
629 {
630 uint32_t cnt = 0;
631 for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
632 for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
633 cnt++;
634 }
635 }
636
(gdb) bt
#0 OutputTxLoggerGetActiveCount () at output-tx.c:632
#1 0x000055dc01d2ba24 in OutputSetupActiveLoggers () at output.c:907
#2 0x000055dc01d35ac2 in RunModeInitializeOutputs () at runmodes.c:946
#3 0x000055dc01c40e17 in PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2322
#4 PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2315
#5 0x000055dc01d31497 in UnixSocketPcapFilesCheck (data=0x7f8db8f39c80) at runmode-unix-socket.c:546
#6 0x000055dc01c4bcde in UnixCommandBackgroundTasks (this=0x55dc03939b20 <command>) at unix-manager.c:443
#7 UnixManager (th_v=0x7f8db44d6dc0, thread_data=<optimized out>) at unix-manager.c:1179
#8 0x000055dc01c4640a in TmThreadsManagement (td=0x7f8db44d6dc0) at tm-threads.c:571
#9 0x00007f8dc2247aa4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00007f8dc22d4c3c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Build info:
This is Suricata version 8.0.0 RELEASE
Features: DEBUG PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 13.3.0, C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v8.0.0
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Npcap support:
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
GeoIP2 support: no
JA3 support: yes
JA4 support: yes
Hyperscan support: no
Hwloc support: no
Libnet support: yes
liblz4 support: no
Landlock support: yes
Systemd support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.75.0 (82e1608df 2023-12-21) (built from a source tarball)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.75.0
Python support: yes
Python path: /opt/venv/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Plugins:
nDPI: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: yes
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/libnl3
SECCFLAGS
Files
Updated by Andrea De Pasquale 4 months ago
With this patch, the segfault can be avoided. Not sure it's an appropriate fix though.
diff --git a/src/output-tx.c b/src/output-tx.c
index b5a1852fa..d6a50eba2 100644
--- a/src/output-tx.c
+++ b/src/output-tx.c
@@ -627,6 +627,10 @@ static TmEcode OutputTxLogThreadDeinit(ThreadVars *tv, void *thread_data)
static uint32_t OutputTxLoggerGetActiveCount(void)
{
+ if (list == NULL) {
+ return 0;
+ }
+
uint32_t cnt = 0;
for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
Updated by Philippe Antoine 4 months ago
- Status changed from New to Feedback
I do not reproduce :
Running
./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol1"; ./rust/target/release/suricatasc -c "pcap-file-list"; ./rust/target/release/suricatasc -c "pcap-current"; sleep 1; ./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol2"; ./rust/target/release/suricatasc -c "pcap-file-list";
I get
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"domtest.pcap","return":"OK"}
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
I think there is a bug coming from UnixSocketPcapFilesCheck but only when we satisfy condition if ((unix_manager_pcap_task_failed 1) || (this->running 1))
Could you share some verbose logs produced by Suricata when running this ?
Updated by Andrea De Pasquale 4 months ago
Here are the -vvv logs. If you can't repro maybe try reducing/increasing the sleep time?
Updated command using numbered pcaps for better visibility in the logs:
# for x in {1..2}; do
rm -rf /tmp/$x
mkdir /tmp/$x
chown suricata:suricata /tmp/$x
echo "Submitting PCAP $x"
cp /recording.pcap /recording$x.pcap
suricatasc -c "pcap-file /recording$x.pcap /tmp/$x"
suricatasc -c "pcap-file-list"
suricatasc -c "pcap-current"
echo
sleep 1
done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording1.pcap","return":"OK"}
Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
[35] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode [35] Info: cpu: CPUs/cores online: 16 [35] Info: suricata: Setting engine mode to IDS mode by default [35] Info: exception-policy: master exception-policy set to: auto [35] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch) [35] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [35] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [35] Config: smb: guid: max cache size: 1024 [35] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [35] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [35] Config: host: preallocated 1000 hosts of size 120 [35] Config: host: host memory usage: 382144 bytes, maximum: 33554432 [35] Config: coredump-config: Core dump size is unlimited. [35] Config: landlock: Landlock is not enabled in configuration [35] Config: suricata: Delayed detect disabled [35] Config: detect: pattern matchers: MPM: ac, SPM: bm [35] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [35] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060 [35] Config: detect: prefilter engines: MPM [35] Config: reputation: IP reputation disabled [35] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules [35] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped [35] Info: threshold-config: Threshold config parsed: 0 rule(s) found [35] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only [35] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [35] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies [35] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [35] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies [35] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies [35] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [35] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [35] Perf: detect: Unique rule groups: 121 [35] Perf: detect: Builtin MPM "toserver TCP packet": 30 [35] Perf: detect: Builtin MPM "toclient TCP packet": 17 [35] Perf: detect: Builtin MPM "toserver TCP stream": 29 [35] Perf: detect: Builtin MPM "toclient TCP stream": 16 [35] Perf: detect: Builtin MPM "toserver UDP packet": 37 [35] Perf: detect: Builtin MPM "toclient UDP packet": 19 [35] Perf: detect: Builtin MPM "other IP packet": 3 [35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.location (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_start (http)": 6 [35] Perf: detect: AppLayer MPM "toclient http_start (http)": 6 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_method (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17 [35] Perf: detect: AppLayer MPM "toserver http_host (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1 [35] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5 [35] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5 [35] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4 [35] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4 [35] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2 [35] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1 [35] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1 [35] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1 [35] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4 [35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2 [35] Perf: detect: Pkt MPM "icmpv6.hdr": 1 [35] Perf: detect: Pkt MPM "ipv6.hdr": 1 [35] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [35] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [35] Notice: threads: Threads created -> Engine started. [54] Info: unix-socket: Added file '/recording1.pcap' to list [54] Info: unix-socket: pcap-file.tenant-id not set [54] Info: unix-socket: Starting run for '/recording1.pcap' [54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48 [54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144 [54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432 [54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [54] Config: stream-tcp: stream "memcap": 67108864 [54] Config: stream-tcp: stream "midstream" session pickups: disabled [54] Config: stream-tcp: stream "async-oneside": disabled [54] Config: stream-tcp: stream "checksum-validation": disabled [54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [54] Config: stream-tcp: stream."inline": disabled [54] Config: stream-tcp: stream "bypass": disabled [54] Config: stream-tcp: stream.reassembly.urgent.policy": oob [54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop [54] Config: stream-tcp: stream "max-syn-queued": 10 [54] Config: stream-tcp: stream "max-synack-queued": 5 [54] Config: stream-tcp: stream.reassembly "memcap": 268435456 [54] Config: stream-tcp: stream.reassembly "depth": 1048576 [54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096 [54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384 [54] Config: stream-tcp: stream.reassembly.raw: enabled [54] Config: stream-tcp: stream.liberal-timestamps: disabled [54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [54] Config: logopenfile: Setting output to /tmp/1/eve.json non-buffered [54] Info: logopenfile: eve-log output device (regular) initialized: eve.json [54] Config: runmodes: enabling 'eve-log' module 'alert' [54] Config: runmodes: enabling 'eve-log' module 'frame' [54] Config: runmodes: enabling 'eve-log' module 'anomaly' [54] Config: runmodes: enabling 'eve-log' module 'http' [54] Config: runmodes: enabling 'eve-log' module 'dns' [54] Config: runmodes: enabling 'eve-log' module 'mdns' [54] Config: runmodes: enabling 'eve-log' module 'tls' [54] Config: runmodes: enabling 'eve-log' module 'files' [54] Config: runmodes: enabling 'eve-log' module 'smtp' [54] Config: runmodes: enabling 'eve-log' module 'websocket' [54] Config: runmodes: enabling 'eve-log' module 'ftp' [54] Config: runmodes: enabling 'eve-log' module 'rdp' [54] Config: runmodes: enabling 'eve-log' module 'nfs' [54] Config: runmodes: enabling 'eve-log' module 'smb' [54] Config: runmodes: enabling 'eve-log' module 'tftp' [54] Config: runmodes: enabling 'eve-log' module 'ike' [54] Config: runmodes: enabling 'eve-log' module 'dcerpc' [54] Config: runmodes: enabling 'eve-log' module 'krb5' [54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht' [54] Config: runmodes: enabling 'eve-log' module 'snmp' [54] Config: runmodes: enabling 'eve-log' module 'rfb' [54] Config: runmodes: enabling 'eve-log' module 'sip' [54] Config: runmodes: enabling 'eve-log' module 'quic' [54] Config: runmodes: enabling 'eve-log' module 'ldap' [54] Config: runmodes: enabling 'eve-log' module 'pop3' [54] Config: runmodes: enabling 'eve-log' module 'arp' [54] Config: runmodes: enabling 'eve-log' module 'dhcp' [54] Config: runmodes: enabling 'eve-log' module 'ssh' [54] Config: runmodes: enabling 'eve-log' module 'mqtt' [54] Config: runmodes: enabling 'eve-log' module 'http2' [54] Config: runmodes: enabling 'eve-log' module 'doh2' [54] Config: runmodes: enabling 'eve-log' module 'pgsql' [54] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [54] Info: pcap: Pcap-file will use 4194304 buffer size [54] Config: flow-manager: using 1 flow manager threads [54] Config: flow-manager: using 1 flow recycler threads [54] Config: log-flush: log flusher thread not used with heartbeat.output-flush-interval of 0 [61] Info: pcap: Starting file run for /recording1.pcap [61] Info: pcap: pcap file /recording1.pcap end of file reached (pcap err code 0) [61] Info: unix-socket: Marking current task as done [54] Info: unix-socket: Resetting engine state [79] Perf: flow-manager: 0 flows processed [61] Notice: pcap: read 1 file, 3139 packets, 2369355 bytes [54] Perf: tmqh-flow: AutoFP - Total flow handler queues - 16 [62] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [63] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [64] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [65] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [66] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [67] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [68] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [69] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [70] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [71] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [72] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [73] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [74] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [75] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [76] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [77] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [54] Perf: ippair: ippair memory usage: 398144 bytes, maximum: 16777216 [54] Info: unix-socket: Added file '/recording2.pcap' to list [54] Info: unix-socket: pcap-file.tenant-id not set [54] Info: unix-socket: Starting run for '/recording2.pcap' [54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48 [54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144 [54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432 [54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [54] Config: stream-tcp: stream "memcap": 67108864 [54] Config: stream-tcp: stream "midstream" session pickups: disabled [54] Config: stream-tcp: stream "async-oneside": disabled [54] Config: stream-tcp: stream "checksum-validation": disabled [54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [54] Config: stream-tcp: stream."inline": disabled [54] Config: stream-tcp: stream "bypass": disabled [54] Config: stream-tcp: stream.reassembly.urgent.policy": oob [54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop [54] Config: stream-tcp: stream "max-syn-queued": 10 [54] Config: stream-tcp: stream "max-synack-queued": 5 [54] Config: stream-tcp: stream.reassembly "memcap": 268435456 [54] Config: stream-tcp: stream.reassembly "depth": 1048576 [54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096 [54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384 [54] Config: stream-tcp: stream.reassembly.raw: enabled [54] Config: stream-tcp: stream.liberal-timestamps: disabled [54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [54] Config: logopenfile: Setting output to /tmp/2/eve.json non-buffered [54] Info: logopenfile: eve-log output device (regular) initialized: eve.json [54] Config: runmodes: enabling 'eve-log' module 'alert' [54] Config: runmodes: enabling 'eve-log' module 'frame' [54] Config: runmodes: enabling 'eve-log' module 'anomaly' [54] Config: runmodes: enabling 'eve-log' module 'http' [54] Config: runmodes: enabling 'eve-log' module 'dns' [54] Config: runmodes: enabling 'eve-log' module 'mdns' [54] Config: runmodes: enabling 'eve-log' module 'tls' [54] Config: runmodes: enabling 'eve-log' module 'files' [54] Config: runmodes: enabling 'eve-log' module 'smtp' [54] Config: runmodes: enabling 'eve-log' module 'websocket' [54] Config: runmodes: enabling 'eve-log' module 'ftp' [54] Config: runmodes: enabling 'eve-log' module 'rdp' [54] Config: runmodes: enabling 'eve-log' module 'nfs' [54] Config: runmodes: enabling 'eve-log' module 'smb' [54] Config: runmodes: enabling 'eve-log' module 'tftp' [54] Config: runmodes: enabling 'eve-log' module 'ike' [54] Config: runmodes: enabling 'eve-log' module 'dcerpc' [54] Config: runmodes: enabling 'eve-log' module 'krb5' [54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht' [54] Config: runmodes: enabling 'eve-log' module 'snmp' [54] Config: runmodes: enabling 'eve-log' module 'rfb' [54] Config: runmodes: enabling 'eve-log' module 'sip' [54] Config: runmodes: enabling 'eve-log' module 'quic' [54] Config: runmodes: enabling 'eve-log' module 'ldap' [54] Config: runmodes: enabling 'eve-log' module 'pop3' [54] Config: runmodes: enabling 'eve-log' module 'arp' [54] Config: runmodes: enabling 'eve-log' module 'dhcp' [54] Config: runmodes: enabling 'eve-log' module 'ssh' [54] Config: runmodes: enabling 'eve-log' module 'mqtt' [54] Config: runmodes: enabling 'eve-log' module 'http2' [54] Config: runmodes: enabling 'eve-log' module 'doh2' [54] Config: runmodes: enabling 'eve-log' module 'pgsql' <SIGSEGV> [98] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode [98] Info: cpu: CPUs/cores online: 16 [98] Info: suricata: Setting engine mode to IDS mode by default [98] Info: exception-policy: master exception-policy set to: auto [98] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch) [98] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [98] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [98] Config: smb: guid: max cache size: 1024 [98] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [98] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [98] Config: host: preallocated 1000 hosts of size 120 [98] Config: host: host memory usage: 382144 bytes, maximum: 33554432 [98] Config: coredump-config: Core dump size is unlimited. [98] Config: landlock: Landlock is not enabled in configuration [98] Config: suricata: Delayed detect disabled [98] Config: detect: pattern matchers: MPM: ac, SPM: bm [98] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [98] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060 [98] Config: detect: prefilter engines: MPM [98] Config: reputation: IP reputation disabled [98] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules [98] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped [98] Info: threshold-config: Threshold config parsed: 0 rule(s) found [98] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only [98] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [98] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies [98] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [98] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies [98] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies [98] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [98] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [98] Perf: detect: Unique rule groups: 121 [98] Perf: detect: Builtin MPM "toserver TCP packet": 30 [98] Perf: detect: Builtin MPM "toclient TCP packet": 17 [98] Perf: detect: Builtin MPM "toserver TCP stream": 29 [98] Perf: detect: Builtin MPM "toclient TCP stream": 16 [98] Perf: detect: Builtin MPM "toserver UDP packet": 37 [98] Perf: detect: Builtin MPM "toclient UDP packet": 19 [98] Perf: detect: Builtin MPM "other IP packet": 3 [98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.location (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_start (http)": 6 [98] Perf: detect: AppLayer MPM "toclient http_start (http)": 6 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_method (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17 [98] Perf: detect: AppLayer MPM "toserver http_host (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1 [98] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5 [98] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5 [98] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4 [98] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4 [98] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2 [98] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1 [98] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1 [98] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1 [98] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4 [98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2 [98] Perf: detect: Pkt MPM "icmpv6.hdr": 1 [98] Perf: detect: Pkt MPM "ipv6.hdr": 1 [98] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [98] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [98] Notice: threads: Threads created -> Engine started.
Updated by Jeff Lucovsky 3 months ago
I'm trying to reproduce the issue. Can you post the exact command line used to launch suricata?
Updated by Andrea De Pasquale 3 months ago
Sure. The command is:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile /tmp/suricata.pid -vvv
Updated by Jeff Lucovsky 3 months ago
Can you post the pcap file?
It's still not crashing for me
Updated by Andrea De Pasquale 3 months ago
It's not pcap-file dependent. I tried multiple files. I can reproduce it with a PCAP containing a simple HTTP request to example.com
Updated by Andrea De Pasquale 3 months ago
- File suricata.yaml suricata.yaml added
It may be the config file? Attaching that here
Updated by Jeff Lucovsky 3 months ago ยท Edited
I'm using this command line --
./src/suricata -c suricata.yaml -l /tmp/ll --unix-socket -S suricata.rules
suricata.rules is the ET Pro ruleset
It's not repro'ing on my setup (8.0, et/pro) and a pcap that I can't share.
I'll look at the @suricata.yaml@ file you posted and see if there's anything causing the faults.
Updated by Philippe Antoine 3 months ago
What is this <SIGSEGV> in the middle of the logs ? Could you run suricata with ASAN ?
Updated by Andrea De Pasquale 3 months ago
<SIGSEGV> was just a placeholder that I added instead of a segmentation fault / core dumped message.
Here's the output of ASan. It contains pretty much the same info I posted when I opened the ticket, with perhaps some additional context on when the thread was created.
[2228521] Config: logopenfile: Setting output to /tmp/lol2/eve.json non-buffered
[2228521] Info: logopenfile: eve-log output device (regular) initialized: eve.json
[2228521] Config: runmodes: enabling 'eve-log' module 'alert'
[2228521] Config: runmodes: enabling 'eve-log' module 'frame'
[2228521] Config: runmodes: enabling 'eve-log' module 'anomaly'
[2228521] Config: runmodes: enabling 'eve-log' module 'http'
[2228521] Config: runmodes: enabling 'eve-log' module 'dns'
[2228521] Config: runmodes: enabling 'eve-log' module 'mdns'
[2228521] Config: runmodes: enabling 'eve-log' module 'tls'
[2228521] Config: runmodes: enabling 'eve-log' module 'files'
[2228521] Config: runmodes: enabling 'eve-log' module 'smtp'
[2228521] Config: runmodes: enabling 'eve-log' module 'websocket'
[2228521] Config: runmodes: enabling 'eve-log' module 'ftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rdp'
[2228521] Config: runmodes: enabling 'eve-log' module 'nfs'
[2228521] Config: runmodes: enabling 'eve-log' module 'smb'
[2228521] Config: runmodes: enabling 'eve-log' module 'tftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ike'
[2228521] Config: runmodes: enabling 'eve-log' module 'dcerpc'
[2228521] Config: runmodes: enabling 'eve-log' module 'krb5'
[2228521] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[2228521] Config: runmodes: enabling 'eve-log' module 'snmp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rfb'
[2228521] Config: runmodes: enabling 'eve-log' module 'sip'
[2228521] Config: runmodes: enabling 'eve-log' module 'quic'
[2228521] Config: runmodes: enabling 'eve-log' module 'ldap'
[2228521] Config: runmodes: enabling 'eve-log' module 'pop3'
[2228521] Config: runmodes: enabling 'eve-log' module 'arp'
[2228521] Config: runmodes: enabling 'eve-log' module 'dhcp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ssh'
[2228521] Config: runmodes: enabling 'eve-log' module 'mqtt'
[2228521] Config: runmodes: enabling 'eve-log' module 'http2'
[2228521] Config: runmodes: enabling 'eve-log' module 'doh2'
[2228521] Config: runmodes: enabling 'eve-log' module 'pgsql'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2228520==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f61b5624c0 bp 0x7f7a5f7d2460 sp 0x7f7a5f7d2450 T1)
==2228520==The signal is caused by a READ memory access.
==2228520==Hint: address points to the zero page.
#0 0x55f61b5624c0 in OutputTxLoggerGetActiveCount /some/directory/OISF/suricata/src/output-tx.c
#1 0x55f61b565d6a in OutputSetupActiveLoggers /some/directory/OISF/suricata/src/output.c:907:24
#2 0x55f61b57c854 in RunModeInitializeOutputs /some/directory/OISF/suricata/src/runmodes.c:946:5
#3 0x55f61b33cbe2 in PreRunPostPrivsDropInit /some/directory/OISF/suricata/src/suricata.c:2322:5
#4 0x55f61b578dd8 in UnixSocketPcapFilesCheck /some/directory/OISF/suricata/src/runmode-unix-socket.c:546:5
#5 0x55f61b353b82 in UnixCommandBackgroundTasks /some/directory/OISF/suricata/src/unix-manager.c:443:20
#6 0x55f61b353b82 in UnixManager /some/directory/OISF/suricata/src/unix-manager.c:1179:9
#7 0x55f61b34b4f7 in TmThreadsManagement /some/directory/OISF/suricata/src/tm-threads.c:571:9
#8 0x7f7a625711f4 in start_thread nptl/./nptl/pthread_create.c:442:8
#9 0x7f7a625f189b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /some/directory/OISF/suricata/src/output-tx.c in OutputTxLoggerGetActiveCount
Thread T1 (US) created by T0 (Suricata-Main) here:
#0 0x55f61b2e504c in __interceptor_pthread_create (/some/directory/OISF/suricata/src/suricata+0x95a04c) (BuildId: 1796ed4efbe3fc9cab644e301fd8a71f06bc05b7)
#1 0x55f61b3472f2 in TmThreadSpawn /some/directory/OISF/suricata/src/tm-threads.c:1745:14
#2 0x55f61b3522e1 in UnixManagerThreadSpawn /some/directory/OISF/suricata/src/unix-manager.c:1202:9
#3 0x55f61b573c41 in RunModeUnixSocketMaster /some/directory/OISF/suricata/src/runmode-unix-socket.c:1779:5
#4 0x55f61b57a497 in RunModeDispatch /some/directory/OISF/suricata/src/runmodes.c:442:5
#5 0x55f61b3402ec in SuricataInit /some/directory/OISF/suricata/src/suricata.c:3091:5
#6 0x55f61b336984 in main /some/directory/OISF/suricata/src/main.c:57:5
#7 0x7f7a6250f249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==2228520==ABORTING
Updated by Philippe Antoine 3 months ago
I am reproducing with supplied suricata.yaml, and it is not reproducing with the default suricata.yaml
Updated by Philippe Antoine 3 months ago
Minmized reproducer
%YAML 1.1
---
outputs:
- eve-log:
enabled: true
types:
- alert
Updated by Philippe Antoine 3 months ago
Not affecting 7.0.11 (this seems due to making things dynamic in 8)
Updated by Philippe Antoine 3 months ago
- Status changed from Feedback to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Jason Ish 3 months ago
- Status changed from In Review to Closed
Merged via https://github.com/OISF/suricata/pull/13683.
Updated by Victor Julien about 1 month ago
- Subject changed from Suricata 8.0.0 segfault when receiving "pcap-file-list" command to unix-socket: segfault in "pcap-file-list" command
Actions