[Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Sat Jun 16 16:31:21 UTC 2012
Ok with the second test crashed self.
[3837] 16/6/2012 -- 18:29:15 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'aut o' checksum mode. Detection of interface state will require 1000 packets.
[New Thread 0x7fffee7be700 (LWP 3838)]
[3838] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffeddbd700 (LWP 3839)]
[3839] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffe75fe700 (LWP 3840)]
[3840] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fffeddbd700 (LWP 3839) exited]
[New Thread 0x7fffe6bfd700 (LWP 3841)]
[Thread 0x7fffee7be700 (LWP 3838) exited]
[Thread 0x7fffe75fe700 (LWP 3840) exited]
[3841] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffe61fc700 (LWP 3842)]
[Thread 0x7fffe6bfd700 (LWP 3841) exited]
[3842] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffe57fb700 (LWP 3844)]
[3844] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fffe61fc700 (LWP 3842) exited]
[New Thread 0x7fffe4dfa700 (LWP 3845)]
[Thread 0x7fffe57fb700 (LWP 3844) exited]
[3845] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fffe4dfa700 (LWP 3845) exited]
[New Thread 0x7fffc3fff700 (LWP 3846)]
[3846] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffc35fe700 (LWP 3847)]
[3847] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fffc3fff700 (LWP 3846) exited]
[New Thread 0x7fffc2bfd700 (LWP 3848)]
[Thread 0x7fffc35fe700 (LWP 3847) exited]
[3848] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffc21fc700 (LWP 3849)]
[3849] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[New Thread 0x7fffc17fb700 (LWP 3850)]
[New Thread 0x7fffc0dfa700 (LWP 3851)]
[3851] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[3850] 16/6/2012 -- 18:29:15 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_E RR_INVALID_VALUE(129)] - Unable to find Live device
[Thread 0x7fffc21fc700 (LWP 3849) exited]
[Thread 0x7fffc2bfd700 (LWP 3848) exited]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffef1bf700 (LWP 3837)]
0x0000000000000021 in ?? ()
Missing separate debuginfos, use: debuginfo-install file-libs-5.04-11.el6.x86_64 glibc-2.12-1.47.el6 _2.12.x86_64 libcap-ng-0.6.4-3.el6_0.1.x86_64 libgcc-4.4.6-3.el6.x86_64 libnet-1.1.5-1.el6.x86_64 li bpcap-1.0.0-6.20091201git117cb5.el6.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb)
Von: Eric Leblond [mailto:eric at regit.org]
Gesendet: Samstag, 16. Juni 2012 18:22
An: Stefan Sabolowitsch
Cc: Peter Manev; oisf
Betreff: Re: AW: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
Oups. I forgot one step. After getting gdb shell. Use the run command (without any arguments)
BR.
Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
Hmmm, sorry Eric but I need a little more help.
When I take this here:
[root at ipd1 bin]# gdb --args ./suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/suricata...done.
(gdb)
But nothing chrashes
When i take this cmdline without “gdb –args”, suricata crashes directly.
What do I wrong here with gdb ??
Von: Eric Leblond [mailto:eric at regit.org]<mailto:[mailto:eric at regit.org]>
Gesendet: Samstag, 16. Juni 2012 17:42
An: Stefan Sabolowitsch
Cc: Peter Manev; oisf
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
hello
Can you run it in gdb qnd send us a backtrace.
You can do it by running
gdb --args mysuricatacmdline
Then when it crashes do
bt
And send us the result.
BR
Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
Hi Peter, thanks for your fast answer.
I use the “-i” parameter for the interface, look here:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-DMZ/suricata.yaml -F /etc/nsm/Serrig-DMZ/bpf.filt -i br1 -l /nsm/sensor_data/Serrig-DMZ
And i compile with this parameter (Centos 6.0 64bit)
./autogen.sh
./configure --enable-pcre-jit
Version 1.3beta worked for two months without any problem, also version beta2. But then the problems started.
My last test…
Jun 16 17:14:46 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 17:14:46 ipd1 sancp: started normally
Jun 16 17:14:53 ipd1 sancp: Retrieved last connection ID: 5754608452622280998 8 0
Jun 16 17:14:53 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 17:14:53 ipd1 sancp: started normally
Jun 16 17:14:59 ipd1 kernel: RxPcapbr034[14337]: segfault at 21 ip 0000000000000021 sp 00007fb5e75fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr038[14341]: segfault at 21 ip 0000000000000021 sp 00007fb5e4df8ce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr027[14330]: segfault at 21 ip 0000000000000021 sp 00007fb6275fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr025[14328]: segfault at 21 ip 0000000000000021 sp 00007fb62cdf8ce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr029[14332]: segfault at 21 ip 0000000000000021 sp 00007fb6261face8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr031[14334]: segfault at 21 ip 0000000000000021 sp 00007fb61d71ece8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr010[14313]: segfault at 21 ip 0000000000000021 sp 00007fb63e8dfce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Von: Peter Manev [mailto:petermanev at gmail.com]<mailto:[mailto:petermanev at gmail.com]>
Gesendet: Samstag, 16. Juni 2012 15:46
An: Stefan Sabolowitsch
Cc: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
Hi Stefan,
Have you specified " interface br0" in the yaml conf file:
pcap:
- interface: br0
#buffer-size: 32768
#bpf-filter: "tcp and port 25"
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum com
How did you compile Suricata?
Thanks
On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
i have with the latest suricata Version (rev 988c92f) a segfault, never seen before “beta2”.
Any help ?
Thx
Stefan
-#-#-#- snipp #-#-#-#-#
Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode
Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode
Jun 16 13:55:49 ipd1 sancp: Exiting
Jun 16 13:55:50 ipd1 sancp: Exiting
Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID: 5754602263574629554 8 0
Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 13:56:41 ipd1 sancp: started normally
Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip 0000000000000021 sp 00007ff755148ce8 error 14
Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]
Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID: 5754602263574929436 8 0
Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 13:56:58 ipd1 sancp: started normally
-#-#-#-#-snapp-+-+-+-+-+-
And I found this in the logfile:
[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org<mailto:Oisf-users at openinfosecfoundation.org>
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120616/537e3c39/attachment-0002.html>
More information about the Oisf-users
mailing list