Actions
Bug #7815
closedSuricata 8.0.0 segfault when receiving "pcap-file-list" command
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata 8.0.0 segfaults when after the 2nd "pcap-file-list" command.
Running in pcap mode (no interfaces) and unix-socket enabled.
With suricata running, I can reproduce the segfault with this command:
# for x in {1..3}; do rm -rf /tmp/$x; mkdir /tmp/$x; chown suricata:suricata /tmp/$x; echo "Submitting PCAP $x"; suricatasc -c "pcap-file /recording.pcap /tmp/$x"; suricatasc -c "pcap-file-list"; suricatasc -c "pcap-current"; echo; sleep 1; done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording.pcap","return":"OK"}
Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Submitting PCAP 3
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
Core dump:
(gdb) frame 0
#0 OutputTxLoggerGetActiveCount () at output-tx.c:632
632 for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
(gdb) list
627
628 static uint32_t OutputTxLoggerGetActiveCount(void)
629 {
630 uint32_t cnt = 0;
631 for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
632 for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
633 cnt++;
634 }
635 }
636
(gdb) bt
#0 OutputTxLoggerGetActiveCount () at output-tx.c:632
#1 0x000055dc01d2ba24 in OutputSetupActiveLoggers () at output.c:907
#2 0x000055dc01d35ac2 in RunModeInitializeOutputs () at runmodes.c:946
#3 0x000055dc01c40e17 in PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2322
#4 PreRunPostPrivsDropInit (runmode=<optimized out>) at suricata.c:2315
#5 0x000055dc01d31497 in UnixSocketPcapFilesCheck (data=0x7f8db8f39c80) at runmode-unix-socket.c:546
#6 0x000055dc01c4bcde in UnixCommandBackgroundTasks (this=0x55dc03939b20 <command>) at unix-manager.c:443
#7 UnixManager (th_v=0x7f8db44d6dc0, thread_data=<optimized out>) at unix-manager.c:1179
#8 0x000055dc01c4640a in TmThreadsManagement (td=0x7f8db44d6dc0) at tm-threads.c:571
#9 0x00007f8dc2247aa4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00007f8dc22d4c3c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Build info:
This is Suricata version 8.0.0 RELEASE
Features: DEBUG PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 13.3.0, C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v8.0.0
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Npcap support:
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
GeoIP2 support: no
JA3 support: yes
JA4 support: yes
Hyperscan support: no
Hwloc support: no
Libnet support: yes
liblz4 support: no
Landlock support: yes
Systemd support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.75.0 (82e1608df 2023-12-21) (built from a source tarball)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.75.0
Python support: yes
Python path: /opt/venv/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Plugins:
nDPI: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: yes
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/libnl3
SECCFLAGS
Files
Updated by Andrea De Pasquale 27 days ago
With this patch, the segfault can be avoided. Not sure it's an appropriate fix though.
diff --git a/src/output-tx.c b/src/output-tx.c
index b5a1852fa..d6a50eba2 100644
--- a/src/output-tx.c
+++ b/src/output-tx.c
@@ -627,6 +627,10 @@ static TmEcode OutputTxLogThreadDeinit(ThreadVars *tv, void *thread_data)
static uint32_t OutputTxLoggerGetActiveCount(void)
{
+ if (list == NULL) {
+ return 0;
+ }
+
uint32_t cnt = 0;
for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
for (OutputTxLogger *p = list[alproto]; p != NULL; p = p->next) {
Updated by Philippe Antoine 23 days ago
- Status changed from New to Feedback
I do not reproduce :
Running
./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol1"; ./rust/target/release/suricatasc -c "pcap-file-list"; ./rust/target/release/suricatasc -c "pcap-current"; sleep 1; ./rust/target/release/suricatasc -c "pcap-file domtest.pcap /tmp/lol2"; ./rust/target/release/suricatasc -c "pcap-file-list";
I get
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"domtest.pcap","return":"OK"}
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
I think there is a bug coming from UnixSocketPcapFilesCheck but only when we satisfy condition if ((unix_manager_pcap_task_failed 1) || (this->running 1))
Could you share some verbose logs produced by Suricata when running this ?
Updated by Andrea De Pasquale 23 days ago
Here are the -vvv logs. If you can't repro maybe try reducing/increasing the sleep time?
Updated command using numbered pcaps for better visibility in the logs:
# for x in {1..2}; do
rm -rf /tmp/$x
mkdir /tmp/$x
chown suricata:suricata /tmp/$x
echo "Submitting PCAP $x"
cp /recording.pcap /recording$x.pcap
suricatasc -c "pcap-file /recording$x.pcap /tmp/$x"
suricatasc -c "pcap-file-list"
suricatasc -c "pcap-current"
echo
sleep 1
done
Submitting PCAP 1
{"message":"Successfully added file to list","return":"OK"}
{"message":{"count":0,"files":[]},"return":"OK"}
{"message":"/recording1.pcap","return":"OK"}
Submitting PCAP 2
{"message":"Successfully added file to list","return":"OK"}
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection reset by peer (os error 104)`
Unable to connect socket to /var/run/suricata/suricata-command.socket: ioerror: `Connection refused (os error 111)`
[35] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode [35] Info: cpu: CPUs/cores online: 16 [35] Info: suricata: Setting engine mode to IDS mode by default [35] Info: exception-policy: master exception-policy set to: auto [35] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch) [35] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [35] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [35] Config: smb: guid: max cache size: 1024 [35] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [35] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [35] Config: host: preallocated 1000 hosts of size 120 [35] Config: host: host memory usage: 382144 bytes, maximum: 33554432 [35] Config: coredump-config: Core dump size is unlimited. [35] Config: landlock: Landlock is not enabled in configuration [35] Config: suricata: Delayed detect disabled [35] Config: detect: pattern matchers: MPM: ac, SPM: bm [35] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [35] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060 [35] Config: detect: prefilter engines: MPM [35] Config: reputation: IP reputation disabled [35] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules [35] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped [35] Info: threshold-config: Threshold config parsed: 0 rule(s) found [35] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only [35] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [35] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies [35] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [35] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies [35] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies [35] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [35] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [35] Perf: detect: Unique rule groups: 121 [35] Perf: detect: Builtin MPM "toserver TCP packet": 30 [35] Perf: detect: Builtin MPM "toclient TCP packet": 17 [35] Perf: detect: Builtin MPM "toserver TCP stream": 29 [35] Perf: detect: Builtin MPM "toclient TCP stream": 16 [35] Perf: detect: Builtin MPM "toserver UDP packet": 37 [35] Perf: detect: Builtin MPM "toclient UDP packet": 19 [35] Perf: detect: Builtin MPM "other IP packet": 3 [35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16 [35] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http.location (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_start (http)": 6 [35] Perf: detect: AppLayer MPM "toclient http_start (http)": 6 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_method (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8 [35] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8 [35] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17 [35] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17 [35] Perf: detect: AppLayer MPM "toserver http_host (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (http)": 4 [35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4 [35] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4 [35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1 [35] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5 [35] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5 [35] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4 [35] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4 [35] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2 [35] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1 [35] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1 [35] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2 [35] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1 [35] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [35] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4 [35] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2 [35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4 [35] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2 [35] Perf: detect: Pkt MPM "icmpv6.hdr": 1 [35] Perf: detect: Pkt MPM "ipv6.hdr": 1 [35] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [35] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [35] Notice: threads: Threads created -> Engine started. [54] Info: unix-socket: Added file '/recording1.pcap' to list [54] Info: unix-socket: pcap-file.tenant-id not set [54] Info: unix-socket: Starting run for '/recording1.pcap' [54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48 [54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144 [54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432 [54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [54] Config: stream-tcp: stream "memcap": 67108864 [54] Config: stream-tcp: stream "midstream" session pickups: disabled [54] Config: stream-tcp: stream "async-oneside": disabled [54] Config: stream-tcp: stream "checksum-validation": disabled [54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [54] Config: stream-tcp: stream."inline": disabled [54] Config: stream-tcp: stream "bypass": disabled [54] Config: stream-tcp: stream.reassembly.urgent.policy": oob [54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop [54] Config: stream-tcp: stream "max-syn-queued": 10 [54] Config: stream-tcp: stream "max-synack-queued": 5 [54] Config: stream-tcp: stream.reassembly "memcap": 268435456 [54] Config: stream-tcp: stream.reassembly "depth": 1048576 [54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096 [54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384 [54] Config: stream-tcp: stream.reassembly.raw: enabled [54] Config: stream-tcp: stream.liberal-timestamps: disabled [54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [54] Config: logopenfile: Setting output to /tmp/1/eve.json non-buffered [54] Info: logopenfile: eve-log output device (regular) initialized: eve.json [54] Config: runmodes: enabling 'eve-log' module 'alert' [54] Config: runmodes: enabling 'eve-log' module 'frame' [54] Config: runmodes: enabling 'eve-log' module 'anomaly' [54] Config: runmodes: enabling 'eve-log' module 'http' [54] Config: runmodes: enabling 'eve-log' module 'dns' [54] Config: runmodes: enabling 'eve-log' module 'mdns' [54] Config: runmodes: enabling 'eve-log' module 'tls' [54] Config: runmodes: enabling 'eve-log' module 'files' [54] Config: runmodes: enabling 'eve-log' module 'smtp' [54] Config: runmodes: enabling 'eve-log' module 'websocket' [54] Config: runmodes: enabling 'eve-log' module 'ftp' [54] Config: runmodes: enabling 'eve-log' module 'rdp' [54] Config: runmodes: enabling 'eve-log' module 'nfs' [54] Config: runmodes: enabling 'eve-log' module 'smb' [54] Config: runmodes: enabling 'eve-log' module 'tftp' [54] Config: runmodes: enabling 'eve-log' module 'ike' [54] Config: runmodes: enabling 'eve-log' module 'dcerpc' [54] Config: runmodes: enabling 'eve-log' module 'krb5' [54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht' [54] Config: runmodes: enabling 'eve-log' module 'snmp' [54] Config: runmodes: enabling 'eve-log' module 'rfb' [54] Config: runmodes: enabling 'eve-log' module 'sip' [54] Config: runmodes: enabling 'eve-log' module 'quic' [54] Config: runmodes: enabling 'eve-log' module 'ldap' [54] Config: runmodes: enabling 'eve-log' module 'pop3' [54] Config: runmodes: enabling 'eve-log' module 'arp' [54] Config: runmodes: enabling 'eve-log' module 'dhcp' [54] Config: runmodes: enabling 'eve-log' module 'ssh' [54] Config: runmodes: enabling 'eve-log' module 'mqtt' [54] Config: runmodes: enabling 'eve-log' module 'http2' [54] Config: runmodes: enabling 'eve-log' module 'doh2' [54] Config: runmodes: enabling 'eve-log' module 'pgsql' [54] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [54] Info: pcap: Pcap-file will use 4194304 buffer size [54] Config: flow-manager: using 1 flow manager threads [54] Config: flow-manager: using 1 flow recycler threads [54] Config: log-flush: log flusher thread not used with heartbeat.output-flush-interval of 0 [61] Info: pcap: Starting file run for /recording1.pcap [61] Info: pcap: pcap file /recording1.pcap end of file reached (pcap err code 0) [61] Info: unix-socket: Marking current task as done [54] Info: unix-socket: Resetting engine state [79] Perf: flow-manager: 0 flows processed [61] Notice: pcap: read 1 file, 3139 packets, 2369355 bytes [54] Perf: tmqh-flow: AutoFP - Total flow handler queues - 16 [62] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [63] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [64] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [65] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [66] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [67] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [68] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [69] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [70] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [71] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [72] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [73] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [74] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [75] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [76] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [77] Perf: detect: threshold thread cache stats: cnt:0 notinit:0 nosupport:0 miss_expired:0 miss:0 hit:0, housekeeping: checks:0, expired:0 [54] Perf: ippair: ippair memory usage: 398144 bytes, maximum: 16777216 [54] Info: unix-socket: Added file '/recording2.pcap' to list [54] Info: unix-socket: pcap-file.tenant-id not set [54] Info: unix-socket: Starting run for '/recording2.pcap' [54] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: defrag-hash: allocated 3145728 bytes of memory for the defrag hash... 65536 buckets of size 48 [54] Config: defrag-hash: preallocated 65535 defrag trackers of size 144 [54] Config: defrag-hash: defrag memory usage: 12582768 bytes, maximum: 33554432 [54] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [54] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [54] Config: stream-tcp: stream "memcap": 67108864 [54] Config: stream-tcp: stream "midstream" session pickups: disabled [54] Config: stream-tcp: stream "async-oneside": disabled [54] Config: stream-tcp: stream "checksum-validation": disabled [54] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch) [54] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [54] Config: stream-tcp: stream."inline": disabled [54] Config: stream-tcp: stream "bypass": disabled [54] Config: stream-tcp: stream.reassembly.urgent.policy": oob [54] Config: stream-tcp: stream.reassembly.urgent.oob-limit-policy": drop [54] Config: stream-tcp: stream "max-syn-queued": 10 [54] Config: stream-tcp: stream "max-synack-queued": 5 [54] Config: stream-tcp: stream.reassembly "memcap": 268435456 [54] Config: stream-tcp: stream.reassembly "depth": 1048576 [54] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 4096 [54] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 16384 [54] Config: stream-tcp: stream.reassembly.raw: enabled [54] Config: stream-tcp: stream.liberal-timestamps: disabled [54] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [54] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [54] Config: logopenfile: Setting output to /tmp/2/eve.json non-buffered [54] Info: logopenfile: eve-log output device (regular) initialized: eve.json [54] Config: runmodes: enabling 'eve-log' module 'alert' [54] Config: runmodes: enabling 'eve-log' module 'frame' [54] Config: runmodes: enabling 'eve-log' module 'anomaly' [54] Config: runmodes: enabling 'eve-log' module 'http' [54] Config: runmodes: enabling 'eve-log' module 'dns' [54] Config: runmodes: enabling 'eve-log' module 'mdns' [54] Config: runmodes: enabling 'eve-log' module 'tls' [54] Config: runmodes: enabling 'eve-log' module 'files' [54] Config: runmodes: enabling 'eve-log' module 'smtp' [54] Config: runmodes: enabling 'eve-log' module 'websocket' [54] Config: runmodes: enabling 'eve-log' module 'ftp' [54] Config: runmodes: enabling 'eve-log' module 'rdp' [54] Config: runmodes: enabling 'eve-log' module 'nfs' [54] Config: runmodes: enabling 'eve-log' module 'smb' [54] Config: runmodes: enabling 'eve-log' module 'tftp' [54] Config: runmodes: enabling 'eve-log' module 'ike' [54] Config: runmodes: enabling 'eve-log' module 'dcerpc' [54] Config: runmodes: enabling 'eve-log' module 'krb5' [54] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht' [54] Config: runmodes: enabling 'eve-log' module 'snmp' [54] Config: runmodes: enabling 'eve-log' module 'rfb' [54] Config: runmodes: enabling 'eve-log' module 'sip' [54] Config: runmodes: enabling 'eve-log' module 'quic' [54] Config: runmodes: enabling 'eve-log' module 'ldap' [54] Config: runmodes: enabling 'eve-log' module 'pop3' [54] Config: runmodes: enabling 'eve-log' module 'arp' [54] Config: runmodes: enabling 'eve-log' module 'dhcp' [54] Config: runmodes: enabling 'eve-log' module 'ssh' [54] Config: runmodes: enabling 'eve-log' module 'mqtt' [54] Config: runmodes: enabling 'eve-log' module 'http2' [54] Config: runmodes: enabling 'eve-log' module 'doh2' [54] Config: runmodes: enabling 'eve-log' module 'pgsql' <SIGSEGV> [98] Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode [98] Info: cpu: CPUs/cores online: 16 [98] Info: suricata: Setting engine mode to IDS mode by default [98] Info: exception-policy: master exception-policy set to: auto [98] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch) [98] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [98] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [98] Config: smb: guid: max cache size: 1024 [98] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [98] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [98] Config: host: preallocated 1000 hosts of size 120 [98] Config: host: host memory usage: 382144 bytes, maximum: 33554432 [98] Config: coredump-config: Core dump size is unlimited. [98] Config: landlock: Landlock is not enabled in configuration [98] Config: suricata: Delayed detect disabled [98] Config: detect: pattern matchers: MPM: ac, SPM: bm [98] Config: detect: grouping: tcp-priority-ports (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [98] Config: detect: grouping: udp-priority-ports (default) 53, 135, 5060 [98] Config: detect: prefilter engines: MPM [98] Config: reputation: IP reputation disabled [98] Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules [98] Info: detect: 1 rule files processed. 37324 rules successfully loaded, 0 rules failed, 0 rules skipped [98] Info: threshold-config: Threshold config parsed: 0 rule(s) found [98] Info: detect: 37324 signatures processed. 1 are IP-only rules, 3299 are inspecting packet payload, 33988 inspect application layer, 0 are decoder event only [98] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [98] Perf: detect: TCP toserver: 41 port groups, 41 unique SGH's, 0 copies [98] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [98] Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies [98] Perf: detect: UDP toclient: 21 port groups, 19 unique SGH's, 2 copies [98] Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [98] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [98] Perf: detect: Unique rule groups: 121 [98] Perf: detect: Builtin MPM "toserver TCP packet": 30 [98] Perf: detect: Builtin MPM "toclient TCP packet": 17 [98] Perf: detect: Builtin MPM "toserver TCP stream": 29 [98] Perf: detect: Builtin MPM "toclient TCP stream": 16 [98] Perf: detect: Builtin MPM "toserver UDP packet": 37 [98] Perf: detect: Builtin MPM "toclient UDP packet": 19 [98] Perf: detect: Builtin MPM "other IP packet": 3 [98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_line (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_request_line (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16 [98] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (doh2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header (http2)": 10 [98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (doh2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_len (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.server (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http.location (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http.location (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http.location (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_start (http)": 6 [98] Perf: detect: AppLayer MPM "toclient http_start (http)": 6 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_method (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_method (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_method (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8 [98] Perf: detect: AppLayer MPM "toserver http_cookie (doh2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (doh2)": 8 [98] Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (doh2)": 17 [98] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17 [98] Perf: detect: AppLayer MPM "toserver http_host (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (http)": 4 [98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_host (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (doh2)": 4 [98] Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4 [98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1 [98] Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5 [98] Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5 [98] Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4 [98] Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4 [98] Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2 [98] Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1 [98] Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 1 [98] Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2 [98] Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1 [98] Perf: detect: AppLayer MPM "toserver ssh_software (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient ssh_software (ssh)": 1 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 20 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 20 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [98] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2 [98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 4 [98] Perf: detect: AppLayer MPM "toserver dns_query (doh2)": 2 [98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 4 [98] Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2 [98] Perf: detect: Pkt MPM "icmpv6.hdr": 1 [98] Perf: detect: Pkt MPM "ipv6.hdr": 1 [98] Config: tmqh-flow: AutoFP mode using "IPPair" flow load balancer [98] Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [98] Notice: threads: Threads created -> Engine started.
Updated by Jeff Lucovsky 22 days ago
I'm trying to reproduce the issue. Can you post the exact command line used to launch suricata?
Updated by Andrea De Pasquale 22 days ago
Sure. The command is:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile /tmp/suricata.pid -vvv
Updated by Jeff Lucovsky 22 days ago
Can you post the pcap file?
It's still not crashing for me
Updated by Andrea De Pasquale 22 days ago
It's not pcap-file dependent. I tried multiple files. I can reproduce it with a PCAP containing a simple HTTP request to example.com
Updated by Andrea De Pasquale 22 days ago
- File suricata.yaml suricata.yaml added
It may be the config file? Attaching that here
Updated by Jeff Lucovsky 22 days ago ยท Edited
I'm using this command line --
./src/suricata -c suricata.yaml -l /tmp/ll --unix-socket -S suricata.rules
suricata.rules is the ET Pro ruleset
It's not repro'ing on my setup (8.0, et/pro) and a pcap that I can't share.
I'll look at the @suricata.yaml@ file you posted and see if there's anything causing the faults.
Updated by Philippe Antoine 22 days ago
What is this <SIGSEGV> in the middle of the logs ? Could you run suricata with ASAN ?
Updated by Andrea De Pasquale 21 days ago
<SIGSEGV> was just a placeholder that I added instead of a segmentation fault / core dumped message.
Here's the output of ASan. It contains pretty much the same info I posted when I opened the ticket, with perhaps some additional context on when the thread was created.
[2228521] Config: logopenfile: Setting output to /tmp/lol2/eve.json non-buffered
[2228521] Info: logopenfile: eve-log output device (regular) initialized: eve.json
[2228521] Config: runmodes: enabling 'eve-log' module 'alert'
[2228521] Config: runmodes: enabling 'eve-log' module 'frame'
[2228521] Config: runmodes: enabling 'eve-log' module 'anomaly'
[2228521] Config: runmodes: enabling 'eve-log' module 'http'
[2228521] Config: runmodes: enabling 'eve-log' module 'dns'
[2228521] Config: runmodes: enabling 'eve-log' module 'mdns'
[2228521] Config: runmodes: enabling 'eve-log' module 'tls'
[2228521] Config: runmodes: enabling 'eve-log' module 'files'
[2228521] Config: runmodes: enabling 'eve-log' module 'smtp'
[2228521] Config: runmodes: enabling 'eve-log' module 'websocket'
[2228521] Config: runmodes: enabling 'eve-log' module 'ftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rdp'
[2228521] Config: runmodes: enabling 'eve-log' module 'nfs'
[2228521] Config: runmodes: enabling 'eve-log' module 'smb'
[2228521] Config: runmodes: enabling 'eve-log' module 'tftp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ike'
[2228521] Config: runmodes: enabling 'eve-log' module 'dcerpc'
[2228521] Config: runmodes: enabling 'eve-log' module 'krb5'
[2228521] Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[2228521] Config: runmodes: enabling 'eve-log' module 'snmp'
[2228521] Config: runmodes: enabling 'eve-log' module 'rfb'
[2228521] Config: runmodes: enabling 'eve-log' module 'sip'
[2228521] Config: runmodes: enabling 'eve-log' module 'quic'
[2228521] Config: runmodes: enabling 'eve-log' module 'ldap'
[2228521] Config: runmodes: enabling 'eve-log' module 'pop3'
[2228521] Config: runmodes: enabling 'eve-log' module 'arp'
[2228521] Config: runmodes: enabling 'eve-log' module 'dhcp'
[2228521] Config: runmodes: enabling 'eve-log' module 'ssh'
[2228521] Config: runmodes: enabling 'eve-log' module 'mqtt'
[2228521] Config: runmodes: enabling 'eve-log' module 'http2'
[2228521] Config: runmodes: enabling 'eve-log' module 'doh2'
[2228521] Config: runmodes: enabling 'eve-log' module 'pgsql'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2228520==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f61b5624c0 bp 0x7f7a5f7d2460 sp 0x7f7a5f7d2450 T1)
==2228520==The signal is caused by a READ memory access.
==2228520==Hint: address points to the zero page.
#0 0x55f61b5624c0 in OutputTxLoggerGetActiveCount /some/directory/OISF/suricata/src/output-tx.c
#1 0x55f61b565d6a in OutputSetupActiveLoggers /some/directory/OISF/suricata/src/output.c:907:24
#2 0x55f61b57c854 in RunModeInitializeOutputs /some/directory/OISF/suricata/src/runmodes.c:946:5
#3 0x55f61b33cbe2 in PreRunPostPrivsDropInit /some/directory/OISF/suricata/src/suricata.c:2322:5
#4 0x55f61b578dd8 in UnixSocketPcapFilesCheck /some/directory/OISF/suricata/src/runmode-unix-socket.c:546:5
#5 0x55f61b353b82 in UnixCommandBackgroundTasks /some/directory/OISF/suricata/src/unix-manager.c:443:20
#6 0x55f61b353b82 in UnixManager /some/directory/OISF/suricata/src/unix-manager.c:1179:9
#7 0x55f61b34b4f7 in TmThreadsManagement /some/directory/OISF/suricata/src/tm-threads.c:571:9
#8 0x7f7a625711f4 in start_thread nptl/./nptl/pthread_create.c:442:8
#9 0x7f7a625f189b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /some/directory/OISF/suricata/src/output-tx.c in OutputTxLoggerGetActiveCount
Thread T1 (US) created by T0 (Suricata-Main) here:
#0 0x55f61b2e504c in __interceptor_pthread_create (/some/directory/OISF/suricata/src/suricata+0x95a04c) (BuildId: 1796ed4efbe3fc9cab644e301fd8a71f06bc05b7)
#1 0x55f61b3472f2 in TmThreadSpawn /some/directory/OISF/suricata/src/tm-threads.c:1745:14
#2 0x55f61b3522e1 in UnixManagerThreadSpawn /some/directory/OISF/suricata/src/unix-manager.c:1202:9
#3 0x55f61b573c41 in RunModeUnixSocketMaster /some/directory/OISF/suricata/src/runmode-unix-socket.c:1779:5
#4 0x55f61b57a497 in RunModeDispatch /some/directory/OISF/suricata/src/runmodes.c:442:5
#5 0x55f61b3402ec in SuricataInit /some/directory/OISF/suricata/src/suricata.c:3091:5
#6 0x55f61b336984 in main /some/directory/OISF/suricata/src/main.c:57:5
#7 0x7f7a6250f249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==2228520==ABORTING
Updated by Philippe Antoine 20 days ago
I am reproducing with supplied suricata.yaml, and it is not reproducing with the default suricata.yaml
Updated by Philippe Antoine 20 days ago
Minmized reproducer
%YAML 1.1
---
outputs:
- eve-log:
enabled: true
types:
- alert
Updated by Philippe Antoine 20 days ago
Not affecting 7.0.11 (this seems due to making things dynamic in 8)
Updated by Philippe Antoine 20 days ago
- Status changed from Feedback to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Jason Ish 3 days ago
- Status changed from In Review to Closed
Merged via https://github.com/OISF/suricata/pull/13683.
Actions