[Oisf-users] Segfault in 1.4rc1 in Live rule swap

Fernando Sclavo fsclavo at gmail.com
Wed Dec 12 18:09:29 UTC 2012 

On 12/12/2012 02:01 PM, Victor Julien wrote:
> On 12/12/2012 05:52 PM, Fernando Sclavo wrote:
>> Suricata recently dumped whith segfault, trying to reload rules.
> Can you get us a backtrace?
>
> The process should dump core to the directory you're starting from.
>
> Also, can you share your config and commandline?
>
Victor, I haven't a core dump, I don't know why it's not generated,
because is enabled in sysctl.conf. Instead, an apport crash was
generated but without coredump inside.
Suricata is installed from ppa (beta).

Path:
idsuser at suricata:/var/log/suricata$ which suricata
/usr/bin/suricata

Command:
sudo suricata -D -c /etc/suricata/suricata.yaml --af-packet

suricata.yaml:

idsuser at suricata:/var/log/suricata$ cat /etc/suricata/suricata.yaml
%YAML 1.1
---

# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
#
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml


# Number of packets allowed to be processed simultaneously.  Default is a
# conservative 1024. A higher number will make sure CPU's/CPU cores will be
# more easily kept busy, but may negatively impact caching.
#
# If you are using the CUDA pattern matcher (b2g_cuda below), different
rules
# apply. In that case try something like 4000 or more. This is because
the CUDA
# pattern matcher scans many packets in parallel.
max-pending-packets: 65534

# Runmode the engine should use. Please check --list-runmodes to get the
available
# runmodes for each packet acquisition method. Defaults to "autofp"
(auto flow pinned
# load balancing).
runmode: workers

# Specifies the kind of flow load balancer used by the flow pinned
autofp mode.
#
# Supported schedulers are:
#
# round-robin       - Flows assigned to threads in a round robin fashion.
# active-packets    - Flows assigned to threads that have the lowest
number of
#                     unprocessed packets (default).
# hash              - Flow alloted usihng the address hash. More of a random
#                     technique. Was the default in Suricata 1.2.1 and
older.
#
#autofp-scheduler: active-packets

# Run suricata as user and group.
#run-as:
#  user: suri
#  group: suri

# Default pid file.
# Will use this file if no --pidfile in command options.
pid-file: /var/run/suricata.pid

# Daemon working directory
# Suricata will change directory to this one if provided
# Default: "/"
#daemon-directory: "/"

# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
#default-packet-size: 1514

# The default logging directory.  Any log or output file will be
# placed here if its not specified with a full path name.  This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata

# Configure the type of alert (and other) logging you would like.
outputs:

  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: yes
      filename: unified2.alert

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb

  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by
customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
%s %B %a:%p -> %A:%P"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # a line based log of TLS handshake parameters (no alerts)
  - tls-log:
      enabled: no  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      #extended: yes # Log extended information like fingerprint
      certs-log-dir: certs # directory to store the certificates files

  # a line based log to used with pcap file study.
  # this module is dedicated to offline pcap parsing (empty output
  # if used with another kind of input). It can interoperate with
  # pcap parser like wireshark via the suriwire plugin.
  - pcap-info:
      enabled: no

  # Packet log... log packets in pcap format. 2 modes of operation: "normal"
  # and "sguil".
  #
  # In normal mode a pcap file "filename" is created in the default-log-dir,
  # or are as specified by "dir". In Sguil mode "dir" indicates the base
directory.
  # In this base dir the pcaps are created in th directory structure
Sguil expects:
  #
  # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  #
  # By default all packets are logged except:
  # - TCP streams beyond stream.reassembly.depth
  # - encrypted streams after the key exchange
  #
  - pcap-log:
      enabled:  no
      filename: log.pcap

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 1000mb

      # If set to a value will enable ring buffer mode. Will keep
Maximum of "max-files" of size "limit"
      max-files: 2000

      mode: normal # normal or sguil.
      #sguil-base-dir: /nsm_data/
      #ts-format: usec # sec or usec second format (default) is
filename.sec usec is filename.sec.usec
      use-stream-depth: no #If set to "yes" packets seen after reaching
stream inspection depth are ignored. "no" logs all packets

  # a full alerts log containing much information for signature writers
  # or for investigating suspected false positives.
  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # alert output to prelude (http://www.prelude-technologies.com/) only
  # available if Suricata has been compiled with --enable-prelude
  - alert-prelude:
      enabled: no
      profile: suricata
      log-packet-content: no
      log-packet-header: yes

  # Stats.log contains data from various counters of the suricata engine.
  # The interval field (in seconds) tells after how long output will be
written
  # on the log file.
  - stats:
      enabled: yes
      filename: stats.log
      interval: 10

  # a line based alerts log similar to fast.log into syslog
  - syslog:
      enabled: no
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      #identity: "suricata"
      facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug

  # a line based information for dropped packets in IPS mode
  - drop:
      enabled: no
      filename: drop.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # output module to store extracted files to disk
  #
  # The files are stored to the log-dir in a format "file.<id>" where
<id> is
  # an incrementing number starting at 1. For each file "file.<id>" a meta
  # file "file.<id>.meta" is created.
  #
  # File extraction depends on a lot of things to be fully done:
  # - stream reassembly depth. For optimal results, set this to 0
(unlimited)
  # - http req

More information about the Oisf-users mailing list