[Oisf-users] suricata

[Victor Julien]

On 06/07/2012 01:44 PM, Константин Хабаров wrote:
> Hi all, i use suricata engine version 1.2.1
> it works fine for a month, but one time it starts crashing. Now, it can
> work 1-2 days and crash, but can crash after 5-10 minutes working
> 
> Here is my suricata output
> 
> 7/6/2012 -- 14:44:57 - <Info> - This is Suricata version 1.2.1 RELEASE
> 7/6/2012 -- 14:44:57 - <Info> - CPUs/cores online: 4
> 7/6/2012 -- 14:44:57 - <Info> - Found an MTU of 1500 for 'eth1'
> 7/6/2012 -- 14:44:57 - <Info> - Using PCRE match-limit setting of: 3500
> 7/6/2012 -- 14:44:57 - <Info> - preallocated 50 packets. Total memory 156000
> 7/6/2012 -- 14:44:57 - <Info> - allocated 524288 bytes of memory for the
> flow hash... 65536 buckets of size 8
> 7/6/2012 -- 14:44:57 - <Info> - preallocated 10000 flows of size 168
> 7/6/2012 -- 14:44:57 - <Info> - flow memory usage: 2204288 bytes,
> maximum: 33554432
> 7/6/2012 -- 14:45:03 - <Info> - 1 rule files processed. 11833 rules
> succesfully loaded, 0 rules failed
> 7/6/2012 -- 14:45:15 - <Info> - 11841 signatures processed. 724 are
> IP-only rules, 3627 are inspecting packet payload, 8959 inspect
> application layer, 0 are decoder event only
> 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 7/6/2012 -- 14:45:17 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 7/6/2012 -- 14:45:19 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
> opening file: "threshold.config": No such file or directory
> 7/6/2012 -- 14:45:19 - <Info> - Core dump size set to unlimited.
> 7/6/2012 -- 14:45:19 - <Info> - Unified2-alert initialized: filename
> suricata.u2, limit 32 MB
> 7/6/2012 -- 14:45:19 - <Info> - Using 1 live device(s).
> 7/6/2012 -- 14:45:19 - <Info> - Unable to find pcap config for interface
> eth1, using default value
> 7/6/2012 -- 14:45:19 - <Info> - using interface eth1
> 7/6/2012 -- 14:45:19 - <Info> - Running in 'auto' checksum mode.
> Detection of interface state will require 1000 packets.
> 7/6/2012 -- 14:45:19 - <Info> - RunModeIdsPcapAuto initialised
> 7/6/2012 -- 14:45:19 - <Info> - stream "max_sessions": 262144
> 7/6/2012 -- 14:45:19 - <Info> - stream "prealloc_sessions": 32768
> 7/6/2012 -- 14:45:19 - <Info> - stream "memcap": 33554432
> 7/6/2012 -- 14:45:19 - <Info> - stream "midstream" session pickups: disabled
> 7/6/2012 -- 14:45:19 - <Info> - stream "async_oneside": disabled
> 7/6/2012 -- 14:45:19 - <Info> - stream "checksum_validation": enabled
> 7/6/2012 -- 14:45:19 - <Info> - stream."inline": disabled
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "memcap": 67108864
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "depth": 1048576
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toserver_chunk_size":
> 2560
> 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toclient_chunk_size":
> 2560
> 7/6/2012 -- 14:45:19 - <Info> - all 10 packet processing threads, 1
> management threads initialized, engine started.
> 7/6/2012 -- 14:45:22 - <Info> - No packets with invalid checksum,
> assuming checksum offloading is NOT used
> Segmentation fault (core dumped) 
> 
> I get segmentation fault error after 5 minutes working.

Can you try to get us a back trace?

> I see an error  opening "threshold.config", but i don't use it in my
> suricata.yaml config file.

This error is harmless. If no value is provided it tries to open
"threshold.config" from your rules directory.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------