[Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Sat Jun 16 16:28:56 UTC 2012


Ahh OK,
i get a lot from this and will never end.

[3752] 16/6/2012 -- 18:25:39 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fee44c03700 (LWP 3752) exited]
[New Thread 0x7fee44202700 (LWP 3753)]
[3753] 16/6/2012 -- 18:25:39 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fee44202700 (LWP 3753) exited]
[New Thread 0x7fee43801700 (LWP 3754)]
[3754] 16/6/2012 -- 18:25:39 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fee43801700 (LWP 3754) exited]
^C[New Thread 0x7fee42e00700 (LWP 3755)]

After CTRL-C to gdb i get this info
Program received signal SIGINT, Interrupt.
0x00000036d5005c00 in __nptl_create_event () from /lib64/libpthread.so.0
Missing separate debuginfos, use: debuginfo-install file-libs-5.04-11.el6.x86_64 glibc-2.12-1.47.el6_2.12.x86_64 libcap-ng-0.6.4-3.el6_0.1.x86_64 libgcc-4.4.6-3.el6.x86_64 libnet-1.1.5-1.el6.x86_64 libpcap-1.0.0-6.20091201git117cb5.el6.x86_64 zlib-1.2.3-27.el6.x86_64




Von: Eric Leblond [mailto:eric at regit.org]
Gesendet: Samstag, 16. Juni 2012 18:22
An: Stefan Sabolowitsch
Cc: Peter Manev; oisf
Betreff: Re: AW: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

Oups. I forgot one step. After getting gdb shell. Use the run command (without any arguments)

BR.

Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
Hmmm, sorry Eric but I need a little more help.

When I take this here:

[root at ipd1 bin]# gdb --args ./suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/suricata...done.
(gdb)

But nothing chrashes

When i take this cmdline without “gdb –args”, suricata crashes directly.
What do I wrong here with gdb ??

Von: Eric Leblond [mailto:eric at regit.org]<mailto:[mailto:eric at regit.org]>
Gesendet: Samstag, 16. Juni 2012 17:42
An: Stefan Sabolowitsch
Cc: Peter Manev; oisf
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

hello

Can you run it in gdb qnd send us a backtrace.
You can do it by running
gdb --args mysuricatacmdline
Then when it crashes do
bt
And send us the result.

BR

Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :

Hi Peter, thanks for your fast answer.

I use the “-i” parameter for the interface, look here:

Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern

Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-DMZ/suricata.yaml -F /etc/nsm/Serrig-DMZ/bpf.filt -i br1 -l /nsm/sensor_data/Serrig-DMZ



And i compile with this parameter (Centos 6.0 64bit)

./autogen.sh

./configure --enable-pcre-jit


Version 1.3beta worked for two months without any problem, also version beta2. But then the problems started.



My last test…
Jun 16 17:14:46 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 17:14:46 ipd1 sancp: started normally
Jun 16 17:14:53 ipd1 sancp: Retrieved last connection ID: 5754608452622280998 8 0
Jun 16 17:14:53 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 17:14:53 ipd1 sancp: started normally
Jun 16 17:14:59 ipd1 kernel: RxPcapbr034[14337]: segfault at 21 ip 0000000000000021 sp 00007fb5e75fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr038[14341]: segfault at 21 ip 0000000000000021 sp 00007fb5e4df8ce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr027[14330]: segfault at 21 ip 0000000000000021 sp 00007fb6275fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr025[14328]: segfault at 21 ip 0000000000000021 sp 00007fb62cdf8ce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr029[14332]: segfault at 21 ip 0000000000000021 sp 00007fb6261face8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr031[14334]: segfault at 21 ip 0000000000000021 sp 00007fb61d71ece8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr010[14313]: segfault at 21 ip 0000000000000021 sp 00007fb63e8dfce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]






Von: Peter Manev [mailto:petermanev at gmail.com]<mailto:[mailto:petermanev at gmail.com]>
Gesendet: Samstag, 16. Juni 2012 15:46
An: Stefan Sabolowitsch
Cc: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x

Hi Stefan,
Have you specified " interface br0" in the yaml conf file:
pcap:
  - interface: br0
    #buffer-size: 32768
    #bpf-filter: "tcp and port 25"
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum com

How did you compile Suricata?

Thanks
On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
i have with the latest suricata Version (rev 988c92f) a segfault, never seen before “beta2”.

Any help ?

Thx
Stefan

-#-#-#- snipp #-#-#-#-#
Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode
Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode
Jun 16 13:55:49 ipd1 sancp: Exiting
Jun 16 13:55:50 ipd1 sancp: Exiting
Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID: 5754602263574629554 8 0
Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 13:56:41 ipd1 sancp: started normally
Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip 0000000000000021 sp 00007ff755148ce8 error 14
Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]
Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID: 5754602263574929436 8 0
Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 13:56:58 ipd1 sancp: started normally
-#-#-#-#-snapp-+-+-+-+-+-

And I found this in the logfile:

[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device



_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org<mailto:Oisf-users at openinfosecfoundation.org>
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



--
Regards,
Peter Manev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120616/754dffc3/attachment-0002.html>


More information about the Oisf-users mailing list