[Oisf-users] Segfault in 1.4rc1 in Live rule swap
Fernando Sclavo
fsclavo at gmail.com
Wed Dec 12 18:09:29 UTC 2012
On 12/12/2012 02:01 PM, Victor Julien wrote:
> On 12/12/2012 05:52 PM, Fernando Sclavo wrote:
>> Suricata recently dumped whith segfault, trying to reload rules.
> Can you get us a backtrace?
>
> The process should dump core to the directory you're starting from.
>
> Also, can you share your config and commandline?
>
Victor, I haven't a core dump, I don't know why it's not generated,
because is enabled in sysctl.conf. Instead, an apport crash was
generated but without coredump inside.
Suricata is installed from ppa (beta).
Path:
idsuser at suricata:/var/log/suricata$ which suricata
/usr/bin/suricata
Command:
sudo suricata -D -c /etc/suricata/suricata.yaml --af-packet
suricata.yaml:
idsuser at suricata:/var/log/suricata$ cat /etc/suricata/suricata.yaml
%YAML 1.1
---
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
#
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
# Number of packets allowed to be processed simultaneously. Default is a
# conservative 1024. A higher number will make sure CPU's/CPU cores will be
# more easily kept busy, but may negatively impact caching.
#
# If you are using the CUDA pattern matcher (b2g_cuda below), different
rules
# apply. In that case try something like 4000 or more. This is because
the CUDA
# pattern matcher scans many packets in parallel.
max-pending-packets: 65534
# Runmode the engine should use. Please check --list-runmodes to get the
available
# runmodes for each packet acquisition method. Defaults to "autofp"
(auto flow pinned
# load balancing).
runmode: workers
# Specifies the kind of flow load balancer used by the flow pinned
autofp mode.
#
# Supported schedulers are:
#
# round-robin - Flows assigned to threads in a round robin fashion.
# active-packets - Flows assigned to threads that have the lowest
number of
# unprocessed packets (default).
# hash - Flow alloted usihng the address hash. More of a random
# technique. Was the default in Suricata 1.2.1 and
older.
#
#autofp-scheduler: active-packets
# Run suricata as user and group.
#run-as:
# user: suri
# group: suri
# Default pid file.
# Will use this file if no --pidfile in command options.
pid-file: /var/run/suricata.pid
# Daemon working directory
# Suricata will change directory to this one if provided
# Default: "/"
#daemon-directory: "/"
# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
#default-packet-size: 1514
# The default logging directory. Any log or output file will be
# placed here if its not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: http.log
append: yes
extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by
customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
%s %B %a:%p -> %A:%P"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
#extended: yes # Log extended information like fingerprint
certs-log-dir: certs # directory to store the certificates files
# a line based log to used with pcap file study.
# this module is dedicated to offline pcap parsing (empty output
# if used with another kind of input). It can interoperate with
# pcap parser like wireshark via the suriwire plugin.
- pcap-info:
enabled: no
# Packet log... log packets in pcap format. 2 modes of operation: "normal"
# and "sguil".
#
# In normal mode a pcap file "filename" is created in the default-log-dir,
# or are as specified by "dir". In Sguil mode "dir" indicates the base
directory.
# In this base dir the pcaps are created in th directory structure
Sguil expects:
#
# $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
#
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
# - encrypted streams after the key exchange
#
- pcap-log:
enabled: no
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 1000mb
# If set to a value will enable ring buffer mode. Will keep
Maximum of "max-files" of size "limit"
max-files: 2000
mode: normal # normal or sguil.
#sguil-base-dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is
filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching
stream inspection depth are ignored. "no" logs all packets
# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output to prelude (http://www.prelude-technologies.com/) only
# available if Suricata has been compiled with --enable-prelude
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
# Stats.log contains data from various counters of the suricata engine.
# The interval field (in seconds) tells after how long output will be
written
# on the log file.
- stats:
enabled: yes
filename: stats.log
interval: 10
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
# a line based information for dropped packets in IPS mode
- drop:
enabled: no
filename: drop.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# output module to store extracted files to disk
#
# The files are stored to the log-dir in a format "file.<id>" where
<id> is
# an incrementing number starting at 1. For each file "file.<id>" a meta
# file "file.<id>.meta" is created.
#
# File extraction depends on a lot of things to be fully done:
# - stream reassembly depth. For optimal results, set this to 0
(unlimited)
# - http req
More information about the Oisf-users
mailing list