[Oisf-devel] Crashing

[Chris Wakelin]

On 10/02/11 19:21, Victor Julien wrote:
> On 02/10/2011 01:53 PM, Chris Wakelin wrote:
>>> This could be possible. I never saw it outside of the checksum keywords
>>> though, they are not used by any ET/VRT rule by default.
>>
>> Similarly a wild guess. However I've had more crashes since, so I guess
>> it's not fixed. I'm not getting any core dumps though, despite having
>> "ulimit -c unlimited" and for good measure starting Suricata with a CWD
>> of /var/log/suricata (i.e. which it can write to). Where is it likely to
>> leave them?
> 
> Usually in the CWD. If you're using priv dropping you might want to make
> sure there is no existing core that is owned by root.

I've tried running it as a daemon and without tcmalloc and several times
I've got something interesting at the end of the log file:

> [3351] 17/2/2011 -- 14:41:11 - (respond-reject-libnet11.c:88) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_INIT(142)] - libnet_inint failed: libnet_init(): UID or EUID of 0 required

I'm running as a non-privileged user, but not chrooted. (Still no core
files though!). It looks like it might be trying to reject a connection
as if it were in inline mode (which it's not!), and then not having the
required privileges. Any idea what could cause that?

> 
> Are you able to capture traffic on a large scale? In that case you could
> maybe try to rerun Suricata against it in pcap file mode and see if you
> can get a reproducible test case.

Is there a way to dump packets in a circular buffer? Otherwise I think
we'd quickly run out of disk space (e.g. in the last run I got stats
for, we got 250GB in just under 90 minutes).

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094