[Oisf-users] suricata

Константин Хабаров k.khabarov at krasnodar.pro
Fri Jun 8 12:57:37 UTC 2012 

What should i do to get backtrace?

2012/6/8 Victor Julien <victor at inliniac.net>

> On 06/07/2012 01:44 PM, Константин Хабаров wrote:
> > Hi all, i use suricata engine version 1.2.1
> > it works fine for a month, but one time it starts crashing. Now, it can
> > work 1-2 days and crash, but can crash after 5-10 minutes working
> >
> > Here is my suricata output
> >
> > 7/6/2012 -- 14:44:57 - <Info> - This is Suricata version 1.2.1 RELEASE
> > 7/6/2012 -- 14:44:57 - <Info> - CPUs/cores online: 4
> > 7/6/2012 -- 14:44:57 - <Info> - Found an MTU of 1500 for 'eth1'
> > 7/6/2012 -- 14:44:57 - <Info> - Using PCRE match-limit setting of: 3500
> > 7/6/2012 -- 14:44:57 - <Info> - preallocated 50 packets. Total memory
> 156000
> > 7/6/2012 -- 14:44:57 - <Info> - allocated 524288 bytes of memory for the
> > flow hash... 65536 buckets of size 8
> > 7/6/2012 -- 14:44:57 - <Info> - preallocated 10000 flows of size 168
> > 7/6/2012 -- 14:44:57 - <Info> - flow memory usage: 2204288 bytes,
> > maximum: 33554432
> > 7/6/2012 -- 14:45:03 - <Info> - 1 rule files processed. 11833 rules
> > succesfully loaded, 0 rules failed
> > 7/6/2012 -- 14:45:15 - <Info> - 11841 signatures processed. 724 are
> > IP-only rules, 3627 are inspecting packet payload, 8959 inspect
> > application layer, 0 are decoder event only
> > 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
> > stage 1: adding signatures to signature source addresses... complete
> > 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
> > stage 2: building source address list... complete
> > 7/6/2012 -- 14:45:17 - <Info> - building signature grouping structure,
> > stage 3: building destination address lists... complete
> > 7/6/2012 -- 14:45:19 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
> > opening file: "threshold.config": No such file or directory
> > 7/6/2012 -- 14:45:19 - <Info> - Core dump size set to unlimited.
> > 7/6/2012 -- 14:45:19 - <Info> - Unified2-alert initialized: filename
> > suricata.u2, limit 32 MB
> > 7/6/2012 -- 14:45:19 - <Info> - Using 1 live device(s).
> > 7/6/2012 -- 14:45:19 - <Info> - Unable to find pcap config for interface
> > eth1, using default value
> > 7/6/2012 -- 14:45:19 - <Info> - using interface eth1
> > 7/6/2012 -- 14:45:19 - <Info> - Running in 'auto' checksum mode.
> > Detection of interface state will require 1000 packets.
> > 7/6/2012 -- 14:45:19 - <Info> - RunModeIdsPcapAuto initialised
> > 7/6/2012 -- 14:45:19 - <Info> - stream "max_sessions": 262144
> > 7/6/2012 -- 14:45:19 - <Info> - stream "prealloc_sessions": 32768
> > 7/6/2012 -- 14:45:19 - <Info> - stream "memcap": 33554432
> > 7/6/2012 -- 14:45:19 - <Info> - stream "midstream" session pickups:
> disabled
> > 7/6/2012 -- 14:45:19 - <Info> - stream "async_oneside": disabled
> > 7/6/2012 -- 14:45:19 - <Info> - stream "checksum_validation": enabled
> > 7/6/2012 -- 14:45:19 - <Info> - stream."inline": disabled
> > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "memcap": 67108864
> > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "depth": 1048576
> > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toserver_chunk_size":
> > 2560
> > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "toclient_chunk_size":
> > 2560
> > 7/6/2012 -- 14:45:19 - <Info> - all 10 packet processing threads, 1
> > management threads initialized, engine started.
> > 7/6/2012 -- 14:45:22 - <Info> - No packets with invalid checksum,
> > assuming checksum offloading is NOT used
> > Segmentation fault (core dumped)
> >
> > I get segmentation fault error after 5 minutes working.
>
> Can you try to get us a back trace?
>
> > I see an error  opening "threshold.config", but i don't use it in my
> > suricata.yaml config file.
>
> This error is harmless. If no value is provided it tries to open
> "threshold.config" from your rules directory.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
 С уважением,
Инженер отдела защиты информации
ООО <<РосИнтеграция>>
Константин Хабаров

тел. 8-903-453-22-21


http://www.rosint.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120608/afe46e1f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1821 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120608/afe46e1f/attachment.jpg>

More information about the Oisf-users mailing list