[Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

Peter Manev petermanev at gmail.com
Sat Jun 16 13:46:11 UTC 2012 

Hi Stefan,
Have you specified " interface br0" in the yaml conf file:


pcap:
>   *- interface: br0*
>     #buffer-size: 32768
>     #bpf-filter: "tcp and port 25"
>     # Choose checksum verification mode for the interface. At the moment
>     # of the capture, some packets may be with an invalid checksum due to
>     # offloading to the network card of the checksum com
>

How did you compile Suricata?

Thanks

On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <
Stefan.Sabolowitsch at felten-group.com> wrote:

>  Hi all,****
>
> i have with the latest suricata Version (rev 988c92f) a segfault, never
> seen before “beta2”. ****
>
> ** **
>
> Any help ?****
>
> ** **
>
> Thx****
>
> Stefan****
>
> ** **
>
> -#-#-#- snipp #-#-#-#-#****
>
> Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode****
>
> Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode****
>
> Jun 16 13:55:49 ipd1 sancp: Exiting****
>
> Jun 16 13:55:50 ipd1 sancp: Exiting****
>
> Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID:
> 5754602263574629554 8 0****
>
> Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode****
>
> Jun 16 13:56:41 ipd1 sancp: started normally****
>
> Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip
> 0000000000000021 sp 00007ff755148ce8 error 14****
>
> Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip
> 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]**
> **
>
> Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]****
>
> Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip
> 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]**
> **
>
> Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID:
> 5754602263574929436 8 0****
>
> Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode****
>
> Jun 16 13:56:58 ipd1 sancp: started normally****
>
> -#-#-#-#-snapp-+-+-+-+-+-****
>
> ** **
>
> And I found this in the logfile:****
>
> ** **
>
> [10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info>
> (ReceivePcapThreadInit) -- using interface br0****
>
> [10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.****
>
> [10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to
> find Live device****
>
> [10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to
> find Live device****
>
> [10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to
> find Live device****
>
> [10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to
> find Live device****
>
> ** **
>
> ** **
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120616/3c10c32d/attachment-0002.html>

More information about the Oisf-users mailing list