[Oisf-users] "suricata: double free or corruption" when I use bpf filter

carlopmart carlopmart at gmail.com
Wed Nov 9 16:51:03 UTC 2011 

On 11/09/2011 05:35 PM, Victor Julien wrote:
> On 11/09/2011 05:03 PM, carlopmart wrote:
>> On 11/09/2011 04:59 PM, Victor Julien wrote:
>>> On 11/09/2011 04:55 PM, carlopmart wrote:
>>>>     Am I doing something wrong or is a bug??
>>>>
>>>>     Suricata version: 1.1rc1
>>>>     Host OS: Ubuntu LTS 10.04.3
>>>
>>> Nope, looks like a bug. Checking it out, thanks!
>>>
>>
>> FYI, If I do via command line:
>>
>> suricata -c /data/config/etc/suricata/suricata.yaml -i eth8 'tcp port 80'
>>
> [snip]
>>    .. works ok.
>
> Can you try the attached patch?
>

Apply patch works well and compilation too ... Starting suricata:

root at eorlingas:~# suricata -c /data/config/etc/suricata/suricata.yaml -i 
eth8 -F /data/config/etc/suricata/bpf.conf
[21899] 9/11/2011 -- 16:48:26 - (suricata.c:651) <Info> (main) -- This 
is Suricata version 1.1rc1
[21899] 9/11/2011 -- 16:48:26 - (util-cpu.c:171) <Info> 
(UtilCpuPrintSummary) -- CPUs/cores online: 1
[21899] 9/11/2011 -- 16:48:26 - (util-ioctl.c:91) <Info> (GetIfaceMTU) 
-- Found an MTU of 1500 for 'eth8'
[21899] 9/11/2011 -- 16:48:26 - (detect-pcre.c:128) <Info> 
(DetectPcreRegister) -- Using PCRE match-limit setting of: 3500
[21899] 9/11/2011 -- 16:48:26 - (detect-pcre.c:138) <Info> 
(DetectPcreRegister) -- Using PCRE match-limit-recursion setting of: 1500
[21899] 9/11/2011 -- 16:48:26 - (suricata.c:1429) <Info> (main) -- 
preallocated 50 packets. Total memory 157000
[21899] 9/11/2011 -- 16:48:26 - (flow.c:840) <Info> (FlowInitConfig) -- 
initializing flow engine...
[21899] 9/11/2011 -- 16:48:26 - (flow.c:932) <Info> (FlowInitConfig) -- 
allocated 524288 bytes of memory for the flow hash... 65536 buckets of 
size 8
[21899] 9/11/2011 -- 16:48:26 - (flow.c:952) <Info> (FlowInitConfig) -- 
preallocated 10000 flows of size 176
[21899] 9/11/2011 -- 16:48:26 - (flow.c:954) <Info> (FlowInitConfig) -- 
flow memory usage: 2284288 bytes, maximum: 33554432
[21899] 9/11/2011 -- 16:48:26 - (detect.c:626) <Info> 
(SigLoadSignatures) -- No signatures supplied.
[21899] 9/11/2011 -- 16:48:26 - (util-threshold-config.c:135) <Warning> 
(SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error 
opening file: "threshold.config": No such file or directory
[21899] 9/11/2011 -- 16:48:26 - (alert-fastlog.c:366) <Info> 
(AlertFastLogInitCtx) -- Fast log output initialized, filename: 
idpesx02.alerts
[21899] 9/11/2011 -- 16:48:26 - (alert-unified2-alert.c:1150) <Info> 
(Unified2AlertInitCtx) -- Unified2-alert initialized: filename 
suricata.out, limit 128 MB
[21899] 9/11/2011 -- 16:48:26 - (log-httplog.c:448) <Info> 
(LogHttpLogInitCtx) -- HTTP log output initialized, filename: http.log
[21899] 9/11/2011 -- 16:48:26 - (log-pcap.c:485) <Info> (PcapLogInitCtx) 
-- Using log dir /nsm/sguil_sensor/idpesx02/dailylogs
[21899] 9/11/2011 -- 16:48:26 - (log-pcap.c:490) <Info> (PcapLogInitCtx) 
-- using Sguil compatible logging
[21899] 9/11/2011 -- 16:48:26 - (log-droplog.c:176) <Info> 
(LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
[21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:140) <Info> 
(ParsePcapConfig) -- BPF filter set from command line or via old 
'bpf-filter' option.
[21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:223) <Info> 
(RunModeIdsPcapAuto) -- RunModeIdsPcapAuto initialised
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:346) <Info> 
(StreamTcpInitConfig) -- stream "max_sessions": 262144
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:358) <Info> 
(StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:368) <Info> 
(StreamTcpInitConfig) -- stream "memcap": 33554432
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:374) <Info> 
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:380) <Info> 
(StreamTcpInitConfig) -- stream "async_oneside": disabled
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:397) <Info> 
(StreamTcpInitConfig) -- stream "checksum_validation": enabled
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:407) <Info> 
(StreamTcpInitConfig) -- stream."inline": enabled
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:416) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:426) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:449) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
[21899] 9/11/2011 -- 16:48:26 - (stream-tcp.c:451) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
[21900] 9/11/2011 -- 16:48:26 - (source-pcap.c:318) <Info> 
(ReceivePcapThreadInit) -- using interface eth8
[21900] 9/11/2011 -- 16:48:26 - (source-pcap.c:359) <Info> 
(ReceivePcapThreadInit) -- Going to use pcap buffer size of 0
[21899] 9/11/2011 -- 16:48:27 - (tm-threads.c:1802) <Info> 
(TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 3 
management threads initialized, engine started.

  ... uhmm, why is saying "BPF filter set from command line or via old 
'bpf-filter' option."??

  Anyway, seems it works ... Yes, works. Suricata only sees http traffic ...

--
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list