
<html><head><style type="text/css">.style1 {font-family: "Times New Roman";}</style></head><body>Victor,<BR>

<BR>

Michal told me he already reported the bug that I think we are experiencing. SMB Parser causing Suircata 5.0.0 to crash.  If you can tell me where to look to gather evidence then I will be glad to submit the info.<BR>

<BR>

I am considering installing monit to restart Suricata when it detects the crash.<BR>

<BR>

We did not have the problem until we upgraded to 5.0.0.<BR>

<BR>

Thanks.<BR>

<BR>

Leonard<BR>

<BR>

-----Original Message-----<BR>

From: Oisf-users <oisf-users-bounces@lists.openinfosecfoundation.org> On Behalf Of Victor Julien<BR>

Sent: Thursday, November 21, 2019 12:28 PM<BR>

To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><BR>

Subject: Re: [Oisf-users] Suricata 5.0.0 randomly stops running<BR>

<BR>

Hi Leonard, please provide some more detail in a report like this. Right now there is no actionable information in your report. Just that it doesn't work.<BR>

<BR>

All I can suggest is to reboot?<BR>

<BR>

Joking aside, please see:<BR>

<BR>

<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs</a><BR>

<BR>

It contains suggestions on how to report bugs in a useful way.<BR>

<BR>

Regards,<BR>

Victor<BR>

<BR>

<BR>

On 21-11-19 06:57, Leonard Jacobs wrote:<BR>

> Is there any estimate when this issue will have a patch or fix or new <BR>

> revision?<BR>

> <BR>

> Thanks.<BR>

> <BR>

> Leonard<BR>

> <BR>

> *From: * Leonard Jacobs <leonard.jacobs@view.com><BR>

> *To: * Michał Purzyński <michalpurzynski1@gmail.com><BR>

> *Cc: * "oisf-users@lists.openinfosecfoundation.org"<BR>

> <oisf-users@lists.openinfosecfoundation.org><BR>

> *Sent: * 11/19/2019 7:47 AM<BR>

> *Subject: * Re: [Oisf-users] Suricata 5.0.0 randomly stops running<BR>

> <BR>

>     Seems like it make sense to disable SMB detection until this issue<BR>

>     is fixed.<BR>

> <BR>

>      <BR>

> <BR>

>     *From:* Michał Purzyński <michalpurzynski1@gmail.com><BR>

>     *Sent:* Monday, November 18, 2019 6:14 PM<BR>

>     *To:* Leonard Jacobs <leonard.jacobs@view.com><BR>

>     *Cc:* <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><BR>

>     *Subject:* Re: [Oisf-users] Suricata 5.0.0 randomly stops running<BR>

> <BR>

>      <BR>

> <BR>

>     Does "stops running" mean it crashes? If so, can you get the core file?<BR>

> <BR>

>     Might not be related, but do you have SMB traffic in your network? I<BR>

>     just stumbled upon this bug (it might be something else for you of<BR>

>     course)<BR>

>     <BR>

> <a href="https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&" target="_blank">https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&</a><BR>

> issue_position=1&next_issue_id=3341<BR>

> <BR>

>      <BR>

> <BR>

>      <BR>

> <BR>

>     On Mon, Nov 18, 2019 at 5:48 AM Leonard Jacobs<BR>

>     <leonard.jacobs@view.com <mailto:leonard.jacobs@view.com>> wrote:<BR>

> <BR>

>         Ever since we went to Suricata 5.0.0, our installation randomly<BR>

>         stops and we have to restart Suricata.  At first, we thought the<BR>

>         script that starts Suricata was failing but we manually start it<BR>

>         at a command line and experience the same issue.<BR>

> <BR>

>          <BR>

> <BR>

>         Running Suricata on Ubuntu 18.04 with 350 GB SSD, Xeon<BR>

>         processor, and 8 GB of RAM.  Suricata is configured to just<BR>

>         listen to network traffic on one gig ethernet port.<BR>

> <BR>

>          <BR>

> <BR>

>         How can I find out what is causing this problem?<BR>

> <BR>

>          <BR>

> <BR>

>         Thanks.<BR>

> <BR>

>          <BR>

> <BR>

>         *Leonard*<BR>

> <BR>

>          <BR>

> <BR>

>         This message and any attachments may contain confidential<BR>

>         information of View, Inc. If you are not the intended recipient<BR>

>         you are hereby notified that any dissemination, copying or<BR>

>         distribution of this message, or files associated with this<BR>

>         message, is strictly prohibited. If you have received this<BR>

>         message in error, please notify us immediately by replying to<BR>

>         the message and delete the message from your computer.<BR>

> <BR>

>         _______________________________________________<BR>

>         Suricata IDS Users mailing list:<BR>

>         <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><BR>

>         <mailto:oisf-users@openinfosecfoundation.org><BR>

>         Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<BR>

>         <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><BR>

>         List:<BR>

>         <BR>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><BR>

> <BR>

>         Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><BR>

>         Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><BR>

> <BR>

> <BR>

> <BR>

>     This message and any attachments may contain confidential<BR>

>     information of View, Inc. If you are not the intended recipient you<BR>

>     are hereby notified that any dissemination, copying or distribution<BR>

>     of this message, or files associated with this message, is strictly<BR>

>     prohibited. If you have received this message in error, please<BR>

>     notify us immediately by replying to the message and delete the<BR>

>     message from your computer.<BR>

> <BR>

> <BR>

> <BR>

>     _______________________________________________<BR>

>     Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><BR>

>     Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<BR>

>     <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><BR>

>     List:<BR>

>     <BR>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><BR>

> <BR>

>     Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><BR>

>     Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><BR>

> <BR>

> <BR>

> _______________________________________________<BR>

> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><BR>

> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<BR>

> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><BR>

> List: <BR>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><BR>

> <BR>

> Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><BR>

> Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><BR>

> <BR>

<BR>

<BR>

--<BR>

---------------------------------------------<BR>

Victor Julien<BR>

<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><BR>

PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><BR>

---------------------------------------------<BR>

<BR>

_______________________________________________<BR>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><BR>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><BR>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><BR>

<BR>

Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><BR>

Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><BR>


<br /><br /><p style="font-family: Verdana; font-size:10pt; color:#666666;"></p><p style="font-family: Verdana; font-size:8pt; color:#666666;">This message and any attachments may contain confidential information of View, Inc. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and delete the message from your computer.</p></body></html>