[Oisf-devel] Crashing

Victor Julien victor at inliniac.net
Thu Feb 10 19:21:08 UTC 2011

On 02/10/2011 01:53 PM, Chris Wakelin wrote:
>> This could be possible. I never saw it outside of the checksum keywords
>> though, they are not used by any ET/VRT rule by default.
> Similarly a wild guess. However I've had more crashes since, so I guess
> it's not fixed. I'm not getting any core dumps though, despite having
> "ulimit -c unlimited" and for good measure starting Suricata with a CWD
> of /var/log/suricata (i.e. which it can write to). Where is it likely to
> leave them?

Usually in the CWD. If you're using priv dropping you might want to make
sure there is no existing core that is owned by root.

Are you able to capture traffic on a large scale? In that case you could
maybe try to rerun Suricata against it in pcap file mode and see if you
can get a reproducible test case.

> I'm also using the tcmalloc trick in
> http://www.inliniac.net/blog/2010/10/21/speeding-up-suricata-with-tcmalloc.html
> - will that make a difference do you think?

It shouldn't, but please try without it to be absolutely sure.

> I didn't get crashes until a week or so ago, so I think my GIT version
> as of 6th January is probably OK, except for the UDP port mismatches.

I think the biggest changes have been in the stream engine. It might be
related to those.

> Today I've got a new Suricata instance on the other half of our network,
> used by our student residences, which will be interesting :)

Cool, please keep the reports coming! Thanks Chris!


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list