What should i do to get backtrace? <br><br><div class="gmail_quote">2012/6/8 Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On 06/07/2012 01:44 PM, Константин Хабаров wrote:<br>
> Hi all, i use suricata engine version 1.2.1<br>
> it works fine for a month, but one time it starts crashing. Now, it can<br>
> work 1-2 days and crash, but can crash after 5-10 minutes working<br>
><br>
> Here is my suricata output<br>
><br>
> 7/6/2012 -- 14:44:57 - <Info> - This is Suricata version 1.2.1 RELEASE<br>
> 7/6/2012 -- 14:44:57 - <Info> - CPUs/cores online: 4<br>
> 7/6/2012 -- 14:44:57 - <Info> - Found an MTU of 1500 for 'eth1'<br>
> 7/6/2012 -- 14:44:57 - <Info> - Using PCRE match-limit setting of: 3500<br>
> 7/6/2012 -- 14:44:57 - <Info> - preallocated 50 packets. Total memory 156000<br>
> 7/6/2012 -- 14:44:57 - <Info> - allocated 524288 bytes of memory for the<br>
> flow hash... 65536 buckets of size 8<br>
> 7/6/2012 -- 14:44:57 - <Info> - preallocated 10000 flows of size 168<br>
> 7/6/2012 -- 14:44:57 - <Info> - flow memory usage: 2204288 bytes,<br>
> maximum: 33554432<br>
> 7/6/2012 -- 14:45:03 - <Info> - 1 rule files processed. 11833 rules<br>
> succesfully loaded, 0 rules failed<br>
> 7/6/2012 -- 14:45:15 - <Info> - 11841 signatures processed. 724 are<br>
> IP-only rules, 3627 are inspecting packet payload, 8959 inspect<br>
> application layer, 0 are decoder event only<br>
> 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,<br>
> stage 1: adding signatures to signature source addresses... complete<br>
> 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,<br>
> stage 2: building source address list... complete<br>
> 7/6/2012 -- 14:45:17 - <Info> - building signature grouping structure,<br>
> stage 3: building destination address lists... complete<br>
> 7/6/2012 -- 14:45:19 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error<br>
> opening file: "threshold.config": No such file or directory<br>
> 7/6/2012 -- 14:45:19 - <Info> - Core dump size set to unlimited.<br>
> 7/6/2012 -- 14:45:19 - <Info> - Unified2-alert initialized: filename<br>
> suricata.u2, limit 32 MB<br>
> 7/6/2012 -- 14:45:19 - <Info> - Using 1 live device(s).<br>
> 7/6/2012 -- 14:45:19 - <Info> - Unable to find pcap config for interface<br>
> eth1, using default value<br>
> 7/6/2012 -- 14:45:19 - <Info> - using interface eth1<br>
> 7/6/2012 -- 14:45:19 - <Info> - Running in 'auto' checksum mode.<br>
> Detection of interface state will require 1000 packets.<br>
> 7/6/2012 -- 14:45:19 - <Info> - RunModeIdsPcapAuto initialised<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "max_sessions": 262144<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "prealloc_sessions": 32768<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "memcap": 33554432<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "midstream" session pickups: disabled<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "async_oneside": disabled<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream "checksum_validation": enabled<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream."inline": disabled<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "memcap": 67108864<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "depth": 1048576<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toserver_chunk_size":<br>
> 2560<br>
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toclient_chunk_size":<br>
> 2560<br>
> 7/6/2012 -- 14:45:19 - <Info> - all 10 packet processing threads, 1<br>
> management threads initialized, engine started.<br>
> 7/6/2012 -- 14:45:22 - <Info> - No packets with invalid checksum,<br>
> assuming checksum offloading is NOT used<br>
> Segmentation fault (core dumped)<br>
><br>
> I get segmentation fault error after 5 minutes working.<br>
<br>
</div></div>Can you try to get us a back trace?<br>
<div class="im"><br>
> I see an error opening "threshold.config", but i don't use it in my<br>
> suricata.yaml config file.<br>
<br>
</div>This error is harmless. If no value is provided it tries to open<br>
"threshold.config" from your rules directory.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div style="text-align:left">
<div>
<div><font face="trebuchet ms,sans-serif"><font color="#993399"><span style="background-color:#ffffff"><font>С</font><font> уважением,<br>Инженер отдела защиты информации<br>ООО «РосИнтеграция»<br>Константин Хабаров <br>
<br>тел. 8-903-453-22-21</font></span></font></font>
</div><div><font color="#993399"><span style="background-color:#ffffff"><font face="courier new,monospace"><font><br></font></font></span></font></div><div><img src="cid:image001.jpg@01CC3193.03C24A80"> </div><div><a href="http://www.rosint.net" target="_blank">http://www.rosint.net</a></div>
</div>
</div><br>