[Oisf-devel] LuaJIT running out of memory causing Suricata crashes?
Chris Wakelin
c.d.wakelin at reading.ac.uk
Wed Dec 4 11:37:27 UTC 2013
Hi,
I'm running the git master as of yesterday, I'm no longer getting
crashes with core dumps, but Suricata does die sometimes (without
dumping core). Looking in suricata.log I'm usually seeing something like:
> [32611] 4/12/2013 -- 11:17:02 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: /etc/suricata/rules/suri-xor-non-zero.lua:70: bad argument #1 to 'xor0' (number expected, got nil)
> [32602] 4/12/2013 -- 11:17:07 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32581] 4/12/2013 -- 11:17:35 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32593] 4/12/2013 -- 11:17:47 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: /etc/suricata/rules/suri-suspicious-flash2.lua:179: bad argument #2 to 'unpack' (data string too short)
> [32596] 4/12/2013 -- 11:17:50 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32596] 4/12/2013 -- 11:17:51 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32581] 4/12/2013 -- 11:17:56 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32593] 4/12/2013 -- 11:18:11 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32587] 4/12/2013 -- 11:18:27 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32578] 4/12/2013 -- 11:18:30 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32611] 4/12/2013 -- 11:18:36 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: /etc/suricata/rules/suri-xor-binary-quick.lua:218: bad argument #1 to 'xor0' (number expected, got nil)
> [32611] 4/12/2013 -- 11:18:36 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: /etc/suricata/rules/suri-xor-binary-quick.lua:218: bad argument #1 to 'xor0' (number expected, got nil)
> [32611] 4/12/2013 -- 11:18:36 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: /etc/suricata/rules/suri-xor-binary-quick.lua:218: bad argument #1 to 'xor0' (number expected, got nil)
> [32581] 4/12/2013 -- 11:18:42 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: InvalidInput: input string does not conform to zlib format or checksum failed at /home/operator/src/svn/lua/lua-zlib/lua_zlib.c line 155
> [32584] 4/12/2013 -- 11:18:50 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: not enough memory
> [32587] 4/12/2013 -- 11:18:50 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: not enough memory
> [32578] 4/12/2013 -- 11:18:50 - (detect-luajit.c:281) <Info> (DetectLuajitMatchBuffer) -- failed to run script: not enough memory
I guess we could add more checks to the Lua scripts to avoid the
zlib/xor errors, which occur all the time, but I think they're probably
not significant. Is there a way we could prevent or at least debug the
"not enough memory" errors which are presumably what causes Suricata to
crash?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list