[Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

Eric Leblond eric at regit.org
Sat Jun 16 16:21:35 UTC 2012 

Oups. I forgot one step. After getting gdb shell. Use the run command (without any arguments)

BR.

Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com> a écrit :

>Hmmm, sorry Eric but I need a little more help.
>
>When I take this here:
>
>[root at ipd1 bin]# gdb --args ./suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
>GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
>Copyright (C) 2010 Free Software Foundation, Inc.
>License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>This is free software: you are free to change and redistribute it.
>There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>and "show warranty" for details.
>This GDB was configured as "x86_64-redhat-linux-gnu".
>For bug reporting instructions, please see:
><http://www.gnu.org/software/gdb/bugs/>...
>Reading symbols from /usr/local/bin/suricata...done.
>(gdb)
>
>But nothing chrashes
>
>When i take this cmdline without “gdb –args”, suricata crashes directly.
>What do I wrong here with gdb ??
>
>Von: Eric Leblond [mailto:eric at regit.org]
>Gesendet: Samstag, 16. Juni 2012 17:42
>An: Stefan Sabolowitsch
>Cc: Peter Manev; oisf
>Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
>
>hello
>
>Can you run it in gdb qnd send us a backtrace.
>You can do it by running
>gdb --args mysuricatacmdline
>Then when it crashes do
>bt
>And send us the result.
>
>BR
>
>Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
>
>Hi Peter, thanks for your fast answer.
>
>I use the “-i” parameter for the interface, look here:
>
>Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
>
>Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-DMZ/suricata.yaml -F /etc/nsm/Serrig-DMZ/bpf.filt -i br1 -l /nsm/sensor_data/Serrig-DMZ
>
>
>
>And i compile with this parameter (Centos 6.0 64bit)
>
>./autogen.sh
>
>./configure --enable-pcre-jit
>
>
>Version 1.3beta worked for two months without any problem, also version beta2. But then the problems started.
>
>
>
>My last test…
>Jun 16 17:14:46 ipd1 kernel: device br0 entered promiscuous mode
>Jun 16 17:14:46 ipd1 sancp: started normally
>Jun 16 17:14:53 ipd1 sancp: Retrieved last connection ID: 5754608452622280998 8 0
>Jun 16 17:14:53 ipd1 kernel: device br1 entered promiscuous mode
>Jun 16 17:14:53 ipd1 sancp: started normally
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr034[14337]: segfault at 21 ip 0000000000000021 sp 00007fb5e75fcce8 error 14
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr038[14341]: segfault at 21 ip 0000000000000021 sp 00007fb5e4df8ce8 error 14 in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr027[14330]: segfault at 21 ip 0000000000000021 sp 00007fb6275fcce8 error 14
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr025[14328]: segfault at 21 ip 0000000000000021 sp 00007fb62cdf8ce8 error 14
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr029[14332]: segfault at 21 ip 0000000000000021 sp 00007fb6261face8 error 14
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr031[14334]: segfault at 21 ip 0000000000000021 sp 00007fb61d71ece8 error 14 in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: RxPcapbr010[14313]: segfault at 21 ip 0000000000000021 sp 00007fb63e8dfce8 error 14 in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
>Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
>
>
>
>
>
>
>Von: Peter Manev [mailto:petermanev at gmail.com]<mailto:[mailto:petermanev at gmail.com]>
>Gesendet: Samstag, 16. Juni 2012 15:46
>An: Stefan Sabolowitsch
>Cc: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
>Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
>
>Hi Stefan,
>Have you specified " interface br0" in the yaml conf file:
>pcap:
>  - interface: br0
>    #buffer-size: 32768
>    #bpf-filter: "tcp and port 25"
>    # Choose checksum verification mode for the interface. At the moment
>    # of the capture, some packets may be with an invalid checksum due to
>    # offloading to the network card of the checksum com
>
>How did you compile Suricata?
>
>Thanks
>On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
>Hi all,
>i have with the latest suricata Version (rev 988c92f) a segfault, never seen before “beta2”.
>
>Any help ?
>
>Thx
>Stefan
>
>-#-#-#- snipp #-#-#-#-#
>Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode
>Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode
>Jun 16 13:55:49 ipd1 sancp: Exiting
>Jun 16 13:55:50 ipd1 sancp: Exiting
>Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID: 5754602263574629554 8 0
>Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode
>Jun 16 13:56:41 ipd1 sancp: started normally
>Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip 0000000000000021 sp 00007ff755148ce8 error 14
>Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]
>Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]
>Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]
>Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID: 5754602263574929436 8 0
>Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode
>Jun 16 13:56:58 ipd1 sancp: started normally
>-#-#-#-#-snapp-+-+-+-+-+-
>
>And I found this in the logfile:
>
>[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
>[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
>[10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
>[10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
>[10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
>[10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
>
>
>
>_______________________________________________
>Oisf-users mailing list
>Oisf-users at openinfosecfoundation.org<mailto:Oisf-users at openinfosecfoundation.org>
>http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>--
>Regards,
>Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120616/ff764877/attachment-0002.html>

More information about the Oisf-users mailing list