Suricata

Bug #1669

Updated by Victor Julien about 8 years ago

Daily a service restart at 07h CET (logrotate and rules), and sometimes at 16h Suricata segfaults. 

 Kernel ring message: 
 <pre> 
 RxPFReth51[38079]: segfault at 7f43a1975000 ip 00000000005930c9 sp 00007f43a2373420 error 4 in suricata[400000+225000] 
 </pre> 

 Redhat 6.7 
 <pre> 
 2.6.32-573.12.1.el6.x86_64 #1 SMP Mon Nov 23 12:55:32 EST 2015 x86_64 x86_64 x86_64 GNU/Linux 
 </pre> 

 Pfring from source: 
 ~]# cat /proc/net/pf_ring/info 
 <pre> 
 PF_RING Version            : 6.3.0 (unknown) 
 Total rings                : 4 

 Standard (non DNA/ZC) Options 
 Ring slots                 : 8192 
 Slot version               : 16 
 Capture TX                 : No [RX only] 
 IP Defragment              : No 
 Socket Mode                : Standard 
 Total plugins              : 0 
 Cluster Fragment Queue     : 0 
 Cluster Fragment Discard : 0 
 </pre> 

 Suricata: 
 <pre> 
 ~]# ldd /usr/bin/suricata 
	 linux-vdso.so.1 =>    (0x00007ffc3298f000) 
	 libhtp-0.5.18.so.1 => /usr/lib/libhtp-0.5.18.so.1 (0x0000003625800000) 
	 libGeoIP.so.1 => /usr/lib64/libGeoIP.so.1 (0x0000003ee0200000) 
	 libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007ff5315eb000) 
	 libmagic.so.1 => /usr/local/lib/libmagic.so.1 (0x00007ff5313ce000) 
	 libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x0000003219800000) 
	 libpfring.so => /usr/local/lib/libpfring.so (0x00007ff53116f000) 
	 libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007ff530eda000) 
	 libnet.so.1 => /lib64/libnet.so.1 (0x0000003219c00000) 
	 libjansson.so.4 => /usr/lib64/libjansson.so.4 (0x000000321ac00000) 
	 libyaml-0.so.2 => /usr/lib64/libyaml-0.so.2 (0x000000321a400000) 
	 libpcre.so.1 => /opt/pcre-8.37/lib/libpcre.so.1 (0x00007ff530c6e000) 
	 librt.so.1 => /lib64/librt.so.1 (0x0000003218800000) 
	 libnuma.so.1 => /usr/lib64/libnuma.so.1 (0x0000003219400000) 
	 libssl3.so => /usr/lib64/libssl3.so (0x0000003ce4e00000) 
	 libsmime3.so => /usr/lib64/libsmime3.so (0x0000003ce5200000) 
	 libnss3.so => /usr/lib64/libnss3.so (0x0000003ce4a00000) 
	 libnssutil3.so => /usr/lib64/libnssutil3.so (0x0000003815e00000) 
	 libplds4.so => /lib64/libplds4.so (0x0000003816600000) 
	 libplc4.so => /lib64/libplc4.so (0x0000003816200000) 
	 libnspr4.so => /lib64/libnspr4.so (0x0000003815a00000) 
	 libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003218400000) 
	 libdl.so.2 => /lib64/libdl.so.2 (0x0000003218000000) 
	 libc.so.6 => /lib64/libc.so.6 (0x0000003217c00000) 
	 libz.so.1 => /lib64/libz.so.1 (0x0000003219000000) 
	 libm.so.6 => /lib64/libm.so.6 (0x0000003218c00000) 
	 libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x000000321a000000) 
	 /lib64/ld-linux-x86-64.so.2 (0x0000003217800000) 
 </pre> 

 ~]# suricata --build-info 
 <pre> 
 This is Suricata version 3.0RC3 RELEASE 
 Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS 
 SIMD support: SSE_4_2 SSE_4_1 SSE_3 
 Atomic intrisics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901 
 compiled with -fstack-protector 
 compiled with _FORTIFY_SOURCE=2 
 L1 cache line size (CLS)=64 
 thread local storage method: __thread 
 compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   PF_RING support:                           yes 
   NFQueue support:                           no 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no 
   DAG enabled:                               no 
   Napatech enabled:                          no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   hiredis support:                           no 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               yes, through luajit 
   libluajit:                                 yes 
   libgeoip:                                  yes 
   Non-bundled htp:                           no 
   Old barnyard2 support:                     yes 
   CUDA enabled:                              no 

   Suricatasc install:                        yes 

   Unit tests enabled:                        no 
   Debug output enabled:                      no 
   Debug validation enabled:                  no 
   Profiling enabled:                         no 
   Profiling locks enabled:                   no 
   Coccinelle / spatch:                       no 

 Generic build parameters: 
   Installation prefix:                       /usr 
   Configuration directory:                   /etc/suricata/ 
   Log directory:                             /var/log/suricata/ 

   --prefix                                   /usr 
   --sysconfdir                               /etc 
   --localstatedir                            /var 

   Host:                                      x86_64-unknown-linux-gnu 
   Compiler:                                  gcc (exec name) / gcc (real) 
   GCC Protect enabled:                       yes 
   GCC march native enabled:                  yes 
   GCC Profile enabled:                       no 
   Position Independent Executable enabled: no 
   CFLAGS                                     -g -O2 -march=native 
   PCAP_CFLAGS                                 -I/usr/local/include 
   SECCFLAGS                                  -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security 
 </pre>

Back