[Oisf-users] suricata

Victor Julien victor at inliniac.net
Fri Jun 8 14:26:59 UTC 2012 

On 06/08/2012 02:57 PM, Константин Хабаров wrote:
> What should i do to get backtrace? 

gdb /path/to/bin /path/to/core

then issue "bt full" and get us the output.


If you have installed Suricata in /usr/bin/suricata and the core file is
in /tmp/ the gdb command is:

gdb /usr/bin/suricata /tmp/core

Cheers,
Victor

> 
> 2012/6/8 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
> 
>     On 06/07/2012 01:44 PM, Константин Хабаров wrote:
>     > Hi all, i use suricata engine version 1.2.1
>     > it works fine for a month, but one time it starts crashing. Now,
>     it can
>     > work 1-2 days and crash, but can crash after 5-10 minutes working
>     >
>     > Here is my suricata output
>     >
>     > 7/6/2012 -- 14:44:57 - <Info> - This is Suricata version 1.2.1 RELEASE
>     > 7/6/2012 -- 14:44:57 - <Info> - CPUs/cores online: 4
>     > 7/6/2012 -- 14:44:57 - <Info> - Found an MTU of 1500 for 'eth1'
>     > 7/6/2012 -- 14:44:57 - <Info> - Using PCRE match-limit setting of:
>     3500
>     > 7/6/2012 -- 14:44:57 - <Info> - preallocated 50 packets. Total
>     memory 156000
>     > 7/6/2012 -- 14:44:57 - <Info> - allocated 524288 bytes of memory
>     for the
>     > flow hash... 65536 buckets of size 8
>     > 7/6/2012 -- 14:44:57 - <Info> - preallocated 10000 flows of size 168
>     > 7/6/2012 -- 14:44:57 - <Info> - flow memory usage: 2204288 bytes,
>     > maximum: 33554432
>     > 7/6/2012 -- 14:45:03 - <Info> - 1 rule files processed. 11833 rules
>     > succesfully loaded, 0 rules failed
>     > 7/6/2012 -- 14:45:15 - <Info> - 11841 signatures processed. 724 are
>     > IP-only rules, 3627 are inspecting packet payload, 8959 inspect
>     > application layer, 0 are decoder event only
>     > 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
>     > stage 1: adding signatures to signature source addresses... complete
>     > 7/6/2012 -- 14:45:15 - <Info> - building signature grouping structure,
>     > stage 2: building source address list... complete
>     > 7/6/2012 -- 14:45:17 - <Info> - building signature grouping structure,
>     > stage 3: building destination address lists... complete
>     > 7/6/2012 -- 14:45:19 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
>     > opening file: "threshold.config": No such file or directory
>     > 7/6/2012 -- 14:45:19 - <Info> - Core dump size set to unlimited.
>     > 7/6/2012 -- 14:45:19 - <Info> - Unified2-alert initialized: filename
>     > suricata.u2, limit 32 MB
>     > 7/6/2012 -- 14:45:19 - <Info> - Using 1 live device(s).
>     > 7/6/2012 -- 14:45:19 - <Info> - Unable to find pcap config for
>     interface
>     > eth1, using default value
>     > 7/6/2012 -- 14:45:19 - <Info> - using interface eth1
>     > 7/6/2012 -- 14:45:19 - <Info> - Running in 'auto' checksum mode.
>     > Detection of interface state will require 1000 packets.
>     > 7/6/2012 -- 14:45:19 - <Info> - RunModeIdsPcapAuto initialised
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "max_sessions": 262144
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "prealloc_sessions": 32768
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "memcap": 33554432
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "midstream" session
>     pickups: disabled
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "async_oneside": disabled
>     > 7/6/2012 -- 14:45:19 - <Info> - stream "checksum_validation": enabled
>     > 7/6/2012 -- 14:45:19 - <Info> - stream."inline": disabled
>     > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "memcap": 67108864
>     > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly "depth": 1048576
>     > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly
>     "toserver_chunk_size":
>     > 2560
>     > 7/6/2012 -- 14:45:19 - <Info> - stream.reassembly
>     "toclient_chunk_size":
>     > 2560
>     > 7/6/2012 -- 14:45:19 - <Info> - all 10 packet processing threads, 1
>     > management threads initialized, engine started.
>     > 7/6/2012 -- 14:45:22 - <Info> - No packets with invalid checksum,
>     > assuming checksum offloading is NOT used
>     > Segmentation fault (core dumped)
>     >
>     > I get segmentation fault error after 5 minutes working.
> 
>     Can you try to get us a back trace?
> 
>     > I see an error  opening "threshold.config", but i don't use it in my
>     > suricata.yaml config file.
> 
>     This error is harmless. If no value is provided it tries to open
>     "threshold.config" from your rules directory.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Oisf-users mailing list
>     Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> 
> 
> -- 
> С уважением,
> Инженер отдела защиты информации
> ООО «РосИнтеграция»
> Константин Хабаров 
> 
> тел. 8-903-453-22-21
> 
>  
> http://www.rosint.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list