[Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Tue Jun 19 08:55:29 UTC 2012
Hi Peter,
It's definitely this commit "bd3a655aeb8975ae8c51a02213d40bf21047f5e9" with pcap changes.
With this pcap changes i get directly a segfault.
I have tested all commits from beta2 to this problem commit.
Stefan
Am 19.06.2012 um 09:48 schrieb Peter Manev:
here is some good info for the git commands:
http://www.siteground.com/tutorials/git/commands.htm
but you would need "git log" and "git checkout" mostly , after you have done the
"git clone git://phalanx.openinfosecfoundation.org/oisf.git<http://phalanx.openinfosecfoundation.org/oisf.git>"
This could be long and tenacious, but thank you very much for your efforts!!
On Tue, Jun 19, 2012 at 9:42 AM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
no Peter...
but i can test the individual branches, master, updates.
May we find the errors faster.
How i do that with git?
Am 19.06.2012 um 09:33 schrieb Peter Manev:
are you using Napatech or Myricom?
On Tue, Jun 19, 2012 at 9:24 AM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi Peter,
I had no problem before version beta2, this machine run more with 3 months without any problem.
I think the problems have started from the 11.06.12
Maybe this is the problem:
suricata-1.3beta2-11-g988c92f
- Log -----------------------------------------------------------------
commit bd3a655aeb8975ae8c51a02213d40bf21047f5e9
Author: Victor Julien <victor at inliniac.net<http://inliniac.net/>>
Date: Sun May 20 12:12:42 2012 +0200
Add pcap workers mode.
Some cards like Napatech or Myricom support libpcap wrappers that allow for
multiple streams, queues, ringbuffers. The workers mode can be of use in
those cases.
-----------------------------------------------------------------------
Summary of changes:
src/runmode-pcap.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++----
src/source-pcap.h | 2 +
2 files changed, 77 insertions(+), 6 deletions(-)
thx
Stefan
Am 19.06.2012 um 09:09 schrieb Peter Manev:
Hi Stefan,
so this problem is only on beta1? , you never have had that problem with beta2? correct?
thanks
On Tue, Jun 19, 2012 at 9:06 AM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
any news here ? you need any information or help from my (debug etc.) ?
Actually i run without any problem on beta2.
thx
Stefan
Am 16.06.2012 um 18:21 schrieb Eric Leblond:
Oups. I forgot one step. After getting gdb shell. Use the run command (without any arguments)
BR.
Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
Hmmm, sorry Eric but I need a little more help.
When I take this here:
[root at ipd1 bin]# gdb --args ./suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/suricata...done.
(gdb)
But nothing chrashes
When i take this cmdline without “gdb –args”, suricata crashes directly.
What do I wrong here with gdb ??
Von: Eric Leblond [mailto:eric at regit.org<mailto:eric at regit.org>]
Gesendet: Samstag, 16. Juni 2012 17:42
An: Stefan Sabolowitsch
Cc: Peter Manev; oisf
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
hello
Can you run it in gdb qnd send us a backtrace.
You can do it by running
gdb --args mysuricatacmdline
Then when it crashes do
bt
And send us the result.
BR
Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> a écrit :
Hi Peter, thanks for your fast answer.
I use the “-i” parameter for the interface, look here:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -i br0 -l /nsm/sensor_data/Serrig-intern
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-DMZ/suricata.yaml -F /etc/nsm/Serrig-DMZ/bpf.filt -i br1 -l /nsm/sensor_data/Serrig-DMZ
And i compile with this parameter (Centos 6.0 64bit)
./autogen.sh
./configure --enable-pcre-jit
Version 1.3beta worked for two months without any problem, also version beta2. But then the problems started.
My last test…
Jun 16 17:14:46 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 17:14:46 ipd1 sancp: started normally
Jun 16 17:14:53 ipd1 sancp: Retrieved last connection ID: 5754608452622280998 8 0
Jun 16 17:14:53 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 17:14:53 ipd1 sancp: started normally
Jun 16 17:14:59 ipd1 kernel: RxPcapbr034[14337]: segfault at 21 ip 0000000000000021 sp 00007fb5e75fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr038[14341]: segfault at 21 ip 0000000000000021 sp 00007fb5e4df8ce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr027[14330]: segfault at 21 ip 0000000000000021 sp 00007fb6275fcce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr025[14328]: segfault at 21 ip 0000000000000021 sp 00007fb62cdf8ce8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr029[14332]: segfault at 21 ip 0000000000000021 sp 00007fb6261face8 error 14
Jun 16 17:14:59 ipd1 kernel: RxPcapbr031[14334]: segfault at 21 ip 0000000000000021 sp 00007fb61d71ece8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: RxPcapbr010[14313]: segfault at 21 ip 0000000000000021 sp 00007fb63e8dfce8 error 14 in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Jun 16 17:14:59 ipd1 kernel: in suricata[400000+179000]
Von: Peter Manev [mailto:petermanev at gmail.com]<mailto:[mailto:petermanev at gmail.com]>
Gesendet: Samstag, 16. Juni 2012 15:46
An: Stefan Sabolowitsch
Cc: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Betreff: Re: [Oisf-users] segfault with latest suricata version (rev 988c92f) 1.3x
Hi Stefan,
Have you specified " interface br0" in the yaml conf file:
pcap:
- interface: br0
#buffer-size: 32768
#bpf-filter: "tcp and port 25"
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum com
How did you compile Suricata?
Thanks
On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
i have with the latest suricata Version (rev 988c92f) a segfault, never seen before “beta2”.
Any help ?
Thx
Stefan
-#-#-#- snipp #-#-#-#-#
Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode
Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode
Jun 16 13:55:49 ipd1 sancp: Exiting
Jun 16 13:55:50 ipd1 sancp: Exiting
Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID: 5754602263574629554 8 0
Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode
Jun 16 13:56:41 ipd1 sancp: started normally
Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip 0000000000000021 sp 00007ff755148ce8 error 14
Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]
Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]
Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID: 5754602263574929436 8 0
Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode
Jun 16 13:56:58 ipd1 sancp: started normally
-#-#-#-#-snapp-+-+-+-+-+-
And I found this in the logfile:
[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0
[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
[10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device
_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org<mailto:Oisf-users at openinfosecfoundation.org>
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
Regards,
Peter Manev
--
Regards,
Peter Manev
--
Regards,
Peter Manev
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120619/64ad9d74/attachment-0002.html>
More information about the Oisf-users
mailing list