[Oisf-users] "suricata: double free or corruption" when I use bpf filter

carlopmart carlopmart at gmail.com
Wed Nov 9 15:55:21 UTC 2011 

Hi all,

  I am trying to pass to suricata a bpf filter file, but crashes.

Command line:

suricata -c /data/config/etc/suricata/suricata.yaml -i eth8 -F 
/data/config/etc/suricata/bpf.conf

bpf file:

tcp port 80 (I only want to sniff http traffic)

Crash:

root at eorlingas:/data/config/etc/suricata# suricata -c 
/data/config/etc/suricata/suricata.yaml -i eth8 -F 
/data/config/etc/suricata/bpf.conf
[1422] 9/11/2011 -- 15:50:23 - (suricata.c:651) <Info> (main) -- This is 
Suricata version 1.1rc1
[1422] 9/11/2011 -- 15:50:23 - (util-cpu.c:171) <Info> 
(UtilCpuPrintSummary) -- CPUs/cores online: 1
[1422] 9/11/2011 -- 15:50:23 - (util-ioctl.c:91) <Info> (GetIfaceMTU) -- 
Found an MTU of 1500 for 'eth8'
[1422] 9/11/2011 -- 15:50:23 - (detect-pcre.c:128) <Info> 
(DetectPcreRegister) -- Using PCRE match-limit setting of: 3500
[1422] 9/11/2011 -- 15:50:23 - (detect-pcre.c:138) <Info> 
(DetectPcreRegister) -- Using PCRE match-limit-recursion setting of: 1500
[1422] 9/11/2011 -- 15:50:23 - (suricata.c:1429) <Info> (main) -- 
preallocated 50 packets. Total memory 157000
[1422] 9/11/2011 -- 15:50:23 - (flow.c:840) <Info> (FlowInitConfig) -- 
initializing flow engine...
[1422] 9/11/2011 -- 15:50:23 - (flow.c:932) <Info> (FlowInitConfig) -- 
allocated 524288 bytes of memory for the flow hash... 65536 buckets of 
size 8
[1422] 9/11/2011 -- 15:50:23 - (flow.c:952) <Info> (FlowInitConfig) -- 
preallocated 10000 flows of size 176
[1422] 9/11/2011 -- 15:50:23 - (flow.c:954) <Info> (FlowInitConfig) -- 
flow memory usage: 2284288 bytes, maximum: 33554432
[1422] 9/11/2011 -- 15:50:23 - (detect.c:626) <Info> (SigLoadSignatures) 
-- No signatures supplied.
[1422] 9/11/2011 -- 15:50:23 - (util-threshold-config.c:135) <Warning> 
(SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error 
opening file: "threshold.config": No such file or directory
[1422] 9/11/2011 -- 15:50:23 - (alert-fastlog.c:366) <Info> 
(AlertFastLogInitCtx) -- Fast log output initialized, filename: 
idpesx02.alerts
[1422] 9/11/2011 -- 15:50:23 - (alert-unified2-alert.c:1150) <Info> 
(Unified2AlertInitCtx) -- Unified2-alert initialized: filename 
suricata.out, limit 128 MB
[1422] 9/11/2011 -- 15:50:23 - (log-httplog.c:448) <Info> 
(LogHttpLogInitCtx) -- HTTP log output initialized, filename: http.log
[1422] 9/11/2011 -- 15:50:23 - (log-pcap.c:485) <Info> (PcapLogInitCtx) 
-- Using log dir /nsm/sguil_sensor/idpesx02/dailylogs
[1422] 9/11/2011 -- 15:50:23 - (log-pcap.c:490) <Info> (PcapLogInitCtx) 
-- using Sguil compatible logging
[1422] 9/11/2011 -- 15:50:23 - (log-droplog.c:176) <Info> 
(LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
[1422] 9/11/2011 -- 15:50:23 - (runmode-pcap.c:144) <Info> 
(ParsePcapConfig) -- BPF filter set from command line or via old 
'bpf-filter' option.
[1422] 9/11/2011 -- 15:50:23 - (runmode-pcap.c:227) <Info> 
(RunModeIdsPcapAuto) -- RunModeIdsPcapAuto initialised
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:346) <Info> 
(StreamTcpInitConfig) -- stream "max_sessions": 262144
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:358) <Info> 
(StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:368) <Info> 
(StreamTcpInitConfig) -- stream "memcap": 33554432
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:374) <Info> 
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:380) <Info> 
(StreamTcpInitConfig) -- stream "async_oneside": disabled
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:397) <Info> 
(StreamTcpInitConfig) -- stream "checksum_validation": enabled
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:407) <Info> 
(StreamTcpInitConfig) -- stream."inline": enabled
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:416) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:426) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:449) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
[1422] 9/11/2011 -- 15:50:23 - (stream-tcp.c:451) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
[1423] 9/11/2011 -- 15:50:23 - (source-pcap.c:318) <Info> 
(ReceivePcapThreadInit) -- using interface eth8
[1423] 9/11/2011 -- 15:50:23 - (source-pcap.c:359) <Info> 
(ReceivePcapThreadInit) -- Going to use pcap buffer size of 0
*** glibc detected *** suricata: double free or corruption (fasttop): 
0x09b7c920 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x334591]
/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0x335de8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x338ecd]
suricata[0x8052c01]
suricata[0x805d609]
suricata[0x813b542]
/lib/tls/i686/cmov/libpthread.so.0(+0x596e)[0x52c96e]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0x396a4e]
======= Memory map: ========
0021e000-00220000 r-xp 00000000 08:02 11708 
/usr/lib/libnetfilter_queue.so.1.1.0
00220000-00221000 r--p 00001000 08:02 11708 
/usr/lib/libnetfilter_queue.so.1.1.0
00221000-00222000 rw-p 00002000 08:02 11708 
/usr/lib/libnetfilter_queue.so.1.1.0
00293000-002a3000 r-xp 00000000 08:11 18 
/data/soft/suricata/lib/libhtp-0.2.so.1.0.2
002a3000-002a4000 r--p 0000f000 08:11 18 
/data/soft/suricata/lib/libhtp-0.2.so.1.0.2
002a4000-002a5000 rw-p 00010000 08:11 18 
/data/soft/suricata/lib/libhtp-0.2.so.1.0.2
002c4000-002c7000 r-xp 00000000 08:02 11786      /usr/lib/libcap-ng.so.0.0.0
002c7000-002c8000 r--p 00002000 08:02 11786      /usr/lib/libcap-ng.so.0.0.0
002c8000-002c9000 rw-p 00003000 08:02 11786      /usr/lib/libcap-ng.so.0.0.0
002c9000-0041c000 r-xp 00000000 08:02 129727 
/lib/tls/i686/cmov/libc-2.11.1.so
0041c000-0041d000 ---p 00153000 08:02 129727 
/lib/tls/i686/cmov/libc-2.11.1.so
0041d000-0041f000 r--p 00153000 08:02 129727 
/lib/tls/i686/cmov/libc-2.11.1.so
0041f000-00420000 rw-p 00155000 08:02 129727 
/lib/tls/i686/cmov/libc-2.11.1.so
00420000-00423000 rw-p 00000000 00:00 0
00527000-0053c000 r-xp 00000000 08:02 129741 
/lib/tls/i686/cmov/libpthread-2.11.1.so
0053c000-0053d000 r--p 00014000 08:02 129741 
/lib/tls/i686/cmov/libpthread-2.11.1.so
0053d000-0053e000 rw-p 00015000 08:02 129741 
/lib/tls/i686/cmov/libpthread-2.11.1.so
0053e000-00540000 rw-p 00000000 00:00 0
005fb000-0062a000 r-xp 00000000 08:02 129160     /lib/libpcre.so.3.12.1
0062a000-0062b000 r--p 0002e000 08:02 129160     /lib/libpcre.so.3.12.1
0062b000-0062c000 rw-p 0002f000 08:02 129160     /lib/libpcre.so.3.12.1
00669000-0066a000 r-xp 00000000 00:00 0          [vdso]
00766000-00781000 r-xp 00000000 08:02 129224     /lib/ld-2.11.1.so
00781000-00782000 r--p 0001a000 08:02 129224     /lib/ld-2.11.1.so
00782000-00783000 rw-p 0001b000 08:02 129224     /lib/ld-2.11.1.so
00851000-0086e000 r-xp 00000000 08:02 129790     /lib/libgcc_s.so.1
0086e000-0086f000 r--p 0001c000 08:02 129790     /lib/libgcc_s.so.1
0086f000-00870000 rw-p 0001d000 08:02 129790     /lib/libgcc_s.so.1
0093a000-0094d000 r-xp 00000000 08:02 129334     /lib/libz.so.1.2.3.3
0094d000-0094e000 r--p 00012000 08:02 129334     /lib/libz.so.1.2.3.3
0094e000-0094f000 rw-p 00013000 08:02 129334     /lib/libz.so.1.2.3.3
00b30000-00b36000 r-xp 00000000 08:02 11703 
/usr/lib/libnfnetlink.so.0.2.0
00b36000-00b37000 r--p 00005000 08:02 11703 
/usr/lib/libnfnetlink.so.0.2.0
00b37000-00b38000 rw-p 00006000 08:02 11703 
/usr/lib/libnfnetlink.so.0.2.0
00d91000-00da5000 r-xp 00000000 08:02 11753      /usr/lib/libnet.so.1.5.0
00da5000-00da6000 r--p 00013000 08:02 11753      /usr/lib/libnet.so.1.5.0
00da6000-00da7000 rw-p 00014000 08:02 11753      /usr/lib/libnet.so.1.5.0
00da7000-00da8000 rw-p 00000000 00:00 0
00e91000-00ebe000 r-xp 00000000 08:02 6582       /usr/lib/libpcap.so.1.0.0
00ebe000-00ebf000 r--p 0002c000 08:02 6582       /usr/lib/libpcap.so.1.0.0
00ebf000-00ec0000 rw-p 0002d000 08:02 6582       /usr/lib/libpcap.so.1.0.0
00ee8000-00f04000 r-xp 00000000 08:02 11738      /usr/lib/libyaml-0.so.2.0.1
00f04000-00f05000 r--p 0001b000 08:02 11738      /usr/lib/libyaml-0.so.2.0.1
00f05000-00f06000 rw-p 0001c000 08:02 11738      /usr/lib/libyaml-0.so.2.0.1
08048000-081a4000 r-xp 00000000 08:11 34 
/data/soft/suricata/bin/suricata
081a4000-081a5000 r--p 0015b000 08:11 34 
/data/soft/suricata/bin/suricata
081a5000-081a7000 rw-p 0015c000 08:11 34 
/data/soft/suricata/bin/suricata
081a7000-081db000 rw-p 00000000 00:00 0
09b7c000-0a8d8000 rw-p 00000000 00:00 0          [heap]
b4200000-b4222000 rw-p 00000000 00:00 0
b4222000-b4300000 ---p 00000000 00:00 0
b4330000-b45c5000 rw-s 00000000 00:07 9277       socket:[9277]
b45c5000-b45c6000 ---p 00000000 00:00 0
b45c6000-b4dc6000 rw-p 00000000 00:00 0
b4dc6000-b4dc7000 ---p 00000000 00:00 0
b4dc7000-b55c7000 rw-p 00000000 00:00 0
b55c7000-b55c8000 ---p 00000000 00:00 0
b55c8000-b5dc8000 rw-p 00000000 00:00 0
b5dc8000-b5dc9000 ---p 00000000 00:00 0
b5dc9000-b65c9000 rw-p 00000000 00:00 0
b65c9000-b65ca000 ---p 00000000 00:00 0
b65ca000-b6dca000 rw-p 00000000 00:00 0
b6dca000-b6dcb000 ---p 00000000 00:00 0
b6dcb000-b7796000 rw-p 00000000 00:00 0
b7798000-b779d000 rw-p 00000000 00:00 0
bfe28000-bfe49000 rw-p 00000000 00:00 0          [stack]
Aborted

  Am I doing something wrong or is a bug??

  Suricata version: 1.1rc1
  Host OS: Ubuntu LTS 10.04.3

Thanks.



-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list