[Oisf-devel] Suricata 1.2.1 + OpenBSD 5.1 = segmentation fault

Peter Manev petermanev at gmail.com
Mon May 21 07:19:20 UTC 2012 

Hi guys,

Sure will try to reproduce it and let you know.

thanks

On Mon, May 21, 2012 at 9:05 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> So looks like an OpenBSD thing.
>
> Peter, possible for you to reproduce it on an openbsd box?
>
> On Mon, May 21, 2012 at 12:30 PM, Henri Wahl <h.wahl at ifw-dresden.de>
> wrote:
> > Hi Anoop,
> > I run the same file I sent you again on my OpenBSD with Suricata and got
> > a core dump:
> >
> > ...
> > ular) initialized: http.log
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:334) <Info>
> > (StreamTcpInitConfig) -- stream "max-sessions": 262144
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:346) <Info>
> > (StreamTcpInitConfig) -- stream "prealloc-sessions": 32768
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:362) <Info>
> > (StreamTcpInitConfig) -- stream "memcap": 33554432
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:368) <Info>
> > (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:374) <Info>
> > (StreamTcpInitConfig) -- stream "async-oneside": disabled
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:391) <Info>
> > (StreamTcpInitConfig) -- stream "checksum-validation": enabled
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:401) <Info>
> > (StreamTcpInitConfig) -- stream."inline": disabled
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:419) <Info>
> > (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:437) <Info>
> > (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:478) <Info>
> > (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2560
> > [10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:480) <Info>
> > (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2560
> > [10304] 21/5/2012 -- 08:55:28 - (source-pcap-file.c:216) <Info>
> > (ReceivePcapFileThreadInit) -- reading pcap file suricata_crash_dump.pcap
> > [10304] 21/5/2012 -- 08:55:28 - (tm-threads.c:1858) <Info>
> > (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 1
> > management threads initialized, engine started.
> > [10304] 21/5/2012 -- 08:55:28 - (source-pcap-file.c:193) <Info>
> > (ReceivePcapFileLoop) -- pcap file end of file reached (pcap err code 0)
> > Segmentation fault (core dumped)
> >
> > Doing this on The Linux CentOS 5.8 machine with Suricata 1.2 all seems
> OK:
> >
> > ...
> > 21/5/2012 -- 08:54:25 - <Info> - stream.reassembly "memcap": 67108864
> > 21/5/2012 -- 08:54:25 - <Info> - stream.reassembly "depth": 1048576
> > 21/5/2012 -- 08:54:25 - <Info> - stream.reassembly
> > "toserver_chunk_size": 2560
> > 21/5/2012 -- 08:54:25 - <Info> - stream.reassembly
> > "toclient_chunk_size": 2560
> > 21/5/2012 -- 08:54:25 - <Info> - reading pcap file
> suricata_crash_dump.pcap
> > 21/5/2012 -- 08:54:25 - <Info> - all 5 packet processing threads, 1
> > management threads initialized, engine started.
> > 21/5/2012 -- 08:54:25 - <Info> - pcap file end of file reached (pcap err
> > code 0)
> > 21/5/2012 -- 08:54:25 - <Info> - stopping engine, waiting for
> > outstanding packets
> > 21/5/2012 -- 08:54:25 - <Info> - all packets processed by threads,
> > stopping engine
> > 21/5/2012 -- 08:54:25 - <Info> - 0 new flows, 0 established flows were
> > timed out, 0 flows in closed state
> > 21/5/2012 -- 08:54:25 - <Info> - time elapsed 0.213s
> > 21/5/2012 -- 08:54:25 - <Info> - Pcap-file module read 117 packets,
> > 108788 bytes
> > 21/5/2012 -- 08:54:25 - <Info> - Stream TCP processed 117 TCP packets
> > 21/5/2012 -- 08:54:25 - <Info> - Fast log output wrote 0 alerts
> > 21/5/2012 -- 08:54:25 - <Info> - Alert unified2 module wrote 0 alerts
> > 21/5/2012 -- 08:54:25 - <Info> - Max memuse of the stream reassembly
> > engine 11292544 (in use 0)
> > 21/5/2012 -- 08:54:25 - <Info> - Max memuse of stream engine 6029312 (in
> > use 0)
> > 21/5/2012 -- 08:54:25 - <Info> - cleaning up signature grouping
> > structure... complete
> >
> > So this seems to be somehow OpenBSD related. Are you able to test on
> > OpenBSD or are there any OpenBSD developers?
> >
> > Regards
> > Henri
> >
> > --
> > Henri Wahl
> >
> > IT Department
> > Leibniz-Institut für Festkörper- u.
> > Werkstoffforschung Dresden
> >
> > tel. (03 51) 46 59 - 797
> > email: h.wahl at ifw-dresden.de
> > http://www.ifw-dresden.de
> >
> > Nagios status monitor for your desktop:
> > http://nagstamon.ifw-dresden.de
> >
> > IFW Dresden e.V., Helmholtzstraße 20, D-01069 Dresden
> > VR Dresden Nr. 1369
> > Vorstand: Prof. Dr. Ludwig Schultz, Dr. h.c. Dipl.-Finw. Rolf Pfrengle
> >
>
>
>
> --
> Anoop Saldanha
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120521/f7b0e57e/attachment-0002.html>

More information about the Oisf-devel mailing list