[Oisf-devel] Crashing

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Feb 8 18:13:42 UTC 2011 

On 08/02/11 18:02, Victor Julien wrote:
> On 02/08/2011 12:58 PM, Chris Wakelin wrote:
>> On 08/02/11 17:53, Victor Julien wrote:
>>> On 02/08/2011 12:18 PM, Brant Wells wrote:
>>>> Hi All,
>>>>
>>>> I'm currently running Suricata 1.1 Beta1 (downloaded from site)...  The
>>>> system runs fine for several hours or days (I don't know which)... and
>>>> then mysteriously it will crash.  The only reason I notice, is that BASE
>>>> quits adding new entries to its list.

>>>
>>> Before starting Suricata do:
>>> ulimit -c unlimited
>>>
>>> That should get you a core dump. Let me know if you need further assistance.
>>>
>>> Cheers,
>>> Victor
>>>
>>
>> Me too, but ever since I did the "ulimit -c" yesterday (together with a
>> GIT update), it's behaved, so no backtraces yet ...
> 
> Cool, keep us updated if you can!
> 
>> (I've also got a UDP rule occasionally triggering on the wrong port;
>> I'll see if I can get a packet dump for that.)
> 
> I'd love to get more details on this.
> 
> Cheers,
> Victor
> 

Hmm, interestingly I haven't seen the UDP problem (on the Srzibi
emerging-trojans rule; destination port should be 1024 but it was
hitting randomly) since I updated yesterday, either.

I wonder whether:

> commit a8417377e700ed69c719d2c1c31acdac656bfa4f
> Author: Eric Leblond <eric at regit.org>
> Date:   Wed Feb 2 22:50:53 2011 +0100
> 
>     Don't use direct pkt access
>     
>     pkt field in Packet needs to be accessed via macro. This
>     patch supress some direct access.

(or later ones) fixed the UDP issue

and:

> commit addab7b5ee62f555e8743031ca8bb4178f893638
> Author: Victor Julien <victor at inliniac.net>
> Date:   Thu Feb 3 15:22:40 2011 +0100
> 
>     Don't test the several packet detection checks against pseudo packets as the matches would not be meaningful anyway. Prevents a segv in the csum detection.

fixed the segfault.

I'll keep you posted!

Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list