[Oisf-devel] suricata 1.3.4 coredump caused by segfault
Victor Julien
victor at inliniac.net
Mon Dec 3 14:54:33 UTC 2012
On 12/03/2012 03:38 AM, xbadou xbadou wrote:
> Hi,
>
> I use 'top' command, my memory is as follows:
>
> Mem: 3080880k total, 356708k used, 2724172k free, 6452k buffers
> Swap: 2650684k total, 0k used, 2650684k free, 83212k cached
>
> When suricata starts, it used about 6.6% (~203MB). But it become larger
> and larger.
>
> The following is some log when suricata starts.
>
> 3/12/2012 -- 08:44:50 - <Info> - AutoFP mode using default "Active
> Packets" flow load balancer
> 3/12/2012 -- 08:44:50 - <Info> - Use pid file /var/run/suricata.pid from
> config file.
> 3/12/2012 -- 08:44:50 - <Info> - preallocated 5000 packets. Total memory
> 15440000
> 3/12/2012 -- 08:44:50 - <Info> - allocated 131072 bytes of memory for
> the host hash... 4096 buckets of size 32
> 3/12/2012 -- 08:44:50 - <Info> - preallocated 1000 hosts of size 72
> 3/12/2012 -- 08:44:50 - <Info> - host memory usage: 203072 bytes,
> maximum: 16777216
> 3/12/2012 -- 08:44:50 - <Info> - allocated 2097152 bytes of memory for
> the flow hash... 65536 buckets of size 32
> 3/12/2012 -- 08:44:50 - <Info> - preallocated 10000 flows of size 176
> 3/12/2012 -- 08:44:50 - <Info> - flow memory usage: 3857152 bytes,
> maximum: 33554432
> 3/12/2012 -- 08:44:50 - <Info> - using magic-file /usr/share/file/magic
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
> "ipv6.ipv4_in_ipv6_too_small"
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr
> any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short";
> decode-event:ipv6.ipv4_in_ipv6_too_small; sid:2200082; rev:1;)" from
> file /etc/suricata/rules/decoder-events.rules at line 93
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
> "ipv6.ipv4_in_ipv6_wrong_version"
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr
> any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol";
> decode-event:ipv6.ipv4_in_ipv6_wrong_version; sid:2200083; rev:1;)" from
> file /etc/suricata/rules/decoder-events.rules at line 94
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
> "ipv6.ipv6_in_ipv6_too_small"
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr
> any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short";
> decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)" from
> file /etc/suricata/rules/decoder-events.rules at line 96
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
> "ipv6.ipv6_in_ipv6_wrong_version"
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr
> any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol";
> decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)" from
> file /etc/suricata/rules/decoder-events.rules at line 97
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-botcc.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-ciarmy.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-compromised.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-drop.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-dshield.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
> SC_ERR_OPENING_RULE_FILE(41)] - opening rule file
> /etc/suricata/rules/emerging-tor.rules: No such file or directory.
> 3/12/2012 -- 08:44:53 - <Info> - 41 rule files processed. 6106 rules
> succesfully loaded, 4 rules failed
> 3/12/2012 -- 08:44:54 - <Info> - 6114 signatures processed. 4 are
> IP-only rules, 2880 are inspecting packet payload, 3885 inspect
> application layer, 72 are decoder event only
> 3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 3/12/2012 -- 08:44:56 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 3/12/2012 -- 08:44:57 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
> opening file: "/etc/suricata//threshold.config": No such file or directory
> 3/12/2012 -- 08:44:57 - <Info> - Core dump size is unlimited.
> 3/12/2012 -- 08:44:57 - <Info> - fast output device (regular)
> initialized: fast.log
> 3/12/2012 -- 08:44:57 - <Info> - Unified2-alert initialized: filename
> unified2.alert, limit 32 MB
> 3/12/2012 -- 08:44:57 - <Info> - Using 1 live device(s).
> 3/12/2012 -- 08:44:57 - <Info> - Unable to find pcap config for
> interface wafbridge1, using default value
> 3/12/2012 -- 08:44:57 - <Info> - using interface wafbridge1
> 3/12/2012 -- 08:44:57 - <Info> - RunModeIdsPcapAutoFp initialised
> 3/12/2012 -- 08:44:57 - <Info> - stream "max-sessions": 262144
> 3/12/2012 -- 08:44:57 - <Info> - stream "prealloc-sessions": 32768
> 3/12/2012 -- 08:44:57 - <Info> - stream "memcap": 33554432
> 3/12/2012 -- 08:44:57 - <Info> - stream "midstream" session pickups:
> disabled
> 3/12/2012 -- 08:44:57 - <Info> - stream "async-oneside": disabled
> 3/12/2012 -- 08:44:57 - <Info> - stream "checksum-validation": enabled
> 3/12/2012 -- 08:44:57 - <Info> - stream."inline": disabled
> 3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "memcap": 67108864
> 3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "depth": 1048576
> 3/12/2012 -- 08:44:57 - <Info> - stream.reassembly
> "toserver-chunk-size": 2560
> 3/12/2012 -- 08:44:57 - <Info> - stream.reassembly
> "toclient-chunk-size": 2560
> 3/12/2012 -- 08:44:57 - <Info> - all 7 packet processing threads, 3
> management threads initialized, engine started.
>
>
> My testing network is like this.
>
> Working Network ------Suricata-------Internet
>
> Working Network bandwidth is about 8~30Mbit/s. Each traffic we visit
> Internet is checked by Suricata.
Could you try upgrading to our 1.3-dev branch here:
https://github.com/inliniac/suricata/tree/master-1.3.x
We fixed a memory leak in our flow engine that may be related to the
issue you are having.
Cheers,
Victor
>
> Thank you.
>
>
>
> On Fri, Nov 30, 2012 at 6:44 PM, Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>> wrote:
>
> Hi,
>
> You mention that you have small traffic - how much memory does
> Suricata use? how many rules do you load?
>
> thank you
>
> On Fri, Nov 30, 2012 at 3:50 AM, xbadou xbadou <xbadou at gmail.com
> <mailto:xbadou at gmail.com>> wrote:
>
> Thank you very much.
>
> But I want to known, whether I can do something to limit the max
> memory usage of suricata. Because I just have very small
> network traffic. I think 4 GB is maybe enough to me. I just
> want suricata keep alive if it can't get more memory. Or
> suricata do some memory clean jobs if it can't allocate more memory.
>
> If suricata get a segfault very offen, I think I may need a
> watchdog to watch this and restart it.
>
>
> On Fri, Nov 30, 2012 at 10:26 AM, Marcos Rodriguez
> <marcos.e.rodriguez at gmail.com
> <mailto:marcos.e.rodriguez at gmail.com>> wrote:
>
>
>
> On Thu, Nov 29, 2012 at 8:23 PM, xbadou xbadou
> <xbadou at gmail.com <mailto:xbadou at gmail.com>> wrote:
>
> Yes, I am running debian 5 with kernel 2.6.31.14
> 32bit。 And the system ram size is 2GB*2.
>
> So, if it is really this issue. How can I avoid this
> coredump happen? Can I change some settings in the
> suricata.yaml file?
>
> Thanks.
>
>
>
> At the bottom of the suricata.yaml file, you'll find this
> section:
>
> # Suricata core dump configuration. Limits the size of the
> core dump file to
> # approximately max-dump. The actual core dump size will be
> a multiple of the
> # page size. Core dumps that would be larger than max-dump
> are truncated. On
> # Linux, the actual core dump size may be a few pages larger
> than max-dump.
> # Setting max-dump to 0 disables core dumping.
> # Setting max-dump to 'unlimited' will give the full core
> dump file.
> # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause
> the core dump size
> # to be 'unlimited'.
>
> coredump:
> max-dump: unlimited
>
> Change the max-dump to 0 to disable. :o)
>
> marcos
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list:
> oisf-devel at openinfosecfoundation.org
> <mailto:oisf-devel at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list