Project

General

Profile

Bug #1637

Updated by Victor Julien over 8 years ago

Dear, 

     I have a Suricata running on version 2.0.10 on Centos7 we have an issue that the Suricata service fails when it receives a small udp packet size or a large one please find below logs when the issue happens  

 the following logs are taken when it received a large udp Packet Size 

 <pre> 
 [root@ips01 suricata]# tail /var/log/messages 
 Dec    8 14:23:59 ips01 iptables.init: iptables: Setting chains to policy ACCEPT: mangle filter [    OK    ] 
 Dec    8 14:23:59 ips01 iptables.init: iptables: Flushing firewall rules: [    OK    ] 
 Dec    8 14:23:59 ips01 iptables.init: iptables: Unloading modules: [    OK    ] 
 Dec    8 14:23:59 ips01 systemd: Starting IPv4 firewall with iptables... 
 Dec    8 14:23:59 ips01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team 
 Dec    8 14:23:59 ips01 iptables.init: iptables: Applying firewall rules: [    OK    ] 
 Dec    8 14:23:59 ips01 systemd: Started IPv4 firewall with iptables. 
 Dec    8 14:24:09 ips01 kernel: Detect1[26508]: segfault at 4 ip 00000000004c7fcc sp 00007f4fac0a0470 error 4 in suricata[400000+1c6000] 
 Dec    8 14:24:09 ips01 systemd: suricata.service: main process exited, code=killed, status=11/SEGV 
 Dec    8 14:24:09 ips01 systemd: Unit suricata.service entered failed state. 
 </pre> 


 <pre> 
 [root@ips01 ~]# tailf /usr/local/var/log/suricata/fast.log 
 12/08/2015-14:24:07.437108    [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370 
 12/08/2015-14:24:07.438062    [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370 
 12/08/2015-14:24:07.441106    [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370 
 12/08/2015-14:24:07.871481    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60723 -> 87.98.175.85:53 
 12/08/2015-14:24:08.235181    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:63715 -> 106.186.17.181:53 
 12/08/2015-14:24:08.344190    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:63328 -> 95.211.195.245:53 
 12/08/2015-14:24:08.466187    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:57532 -> 192.121.170.170:53 
 12/08/2015-14:24:08.653227    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60581 -> 151.236.6.6:53 
 12/08/2015-14:24:08.887174    [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60723 -> 87.98.175.85:53 
 12/08/2015-14:24:09.075701    [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.196.31:53 -> 85.195.64.11:27710 
 </pre> 


 if we disable the Sid #521 or sid #2200038 the issue is solved and the service doesn't fail can you please help? 

  the rules are  
 <pre> 
 drop pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; sid:2200038; rev:1;) 

 drop udp any any -> any any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) 
 </pre>

Back