[Oisf-users] vlan on bond if problem

Geert Alberghs alberghs.g at gmail.com
Mon May 21 14:50:55 UTC 2012 

Hello,

when using the following command to launch suricata:

*exec suricata -D --pidfile /var/run/suricata.pid -c
/etc/suricata/suricata.yaml -i bond0 -i vlan411 "not vlan"*

Suricata starts normally, analyses the rules, loads them etc. But a few
moments after this the process stops without any notification in
suricata.log.

When the same command is launched but without the vlan interfaces,
everything works fine. Is there a multi-interfaces problem or a vlan
untagging problem, I don't know.

The reason why the vlan's are used is because of mirroring limitations in a
particular switch: all incoming traffic on the mirror port is in the
default vlan, all outgoing in vlan 411.

gdb output for *suricata -c /etc/suricata/suricata.yaml -i bond0 -i vlan411
"not vlan"*:

21/5/2012 -- 15:54:48 - <Info> - 15 rule files processed. 41435 rules
succesfully loaded, 0 rules failed
21/5/2012 -- 15:56:45 - <Info> - 42631 signatures processed. 1809 are
IP-only rules, 37788 are inspecting packet payload, 13120 inspect
application layer, 0 are decoder event only
21/5/2012 -- 15:56:45 - <Info> - building signature grouping structure,
stage 1: adding signatures to signature source addresses... complete
21/5/2012 -- 15:56:50 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
21/5/2012 -- 15:56:55 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
21/5/2012 -- 15:57:10 - <Info> - Threshold config parsed: 5 rule(s) found
21/5/2012 -- 15:57:10 - <Info> - Core dump size set to unlimited.
21/5/2012 -- 15:57:10 - <Info> - fast output device (regular) initialized:
fast.log
21/5/2012 -- 15:57:10 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 32 MB
21/5/2012 -- 15:57:10 - <Info> - http-log output device (regular)
initialized: http.log
21/5/2012 -- 15:57:10 - <Info> - Using 2 live device(s).
21/5/2012 -- 15:57:10 - <Info> - BPF filter set from command line or via
old 'bpf-filter' option.
[New Thread 0x7ffff636c700 (LWP 9636)]
21/5/2012 -- 15:57:10 - <Info> - BPF filter set from command line or via
old 'bpf-filter' option.
21/5/2012 -- 15:57:10 - <Info> - using interface bond0
21/5/2012 -- 15:57:10 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
[New Thread 0x7ffff5b6b700 (LWP 9637)]
21/5/2012 -- 15:57:10 - <Info> - using interface vlan411
21/5/2012 -- 15:57:10 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
[New Thread 0x7ffff536a700 (LWP 9638)]
[New Thread 0x7ffff4b69700 (LWP 9640)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff4b69700 (LWP 9640)]
0x00007ffff69c06da in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) btµ
Invalid character '�' in expression.
(gdb) bt
#0  0x00007ffff69c06da in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff69c1f72 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff69c4e1e in malloc () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00000000004fd054 in PmqSetup ()
#4  0x00000000004402e8 in DetectEngineThreadCtxInit ()
#5  0x0000000000435b17 in DetectThreadInit ()
#6  0x000000000056d1ed in TmThreadsSlot1 ()
#7  0x00007ffff713fd8c in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#8  0x00007ffff6a2ec2d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x0000000000000000 in ?? ()

Any idea where the problem might reside?

Gtz

Geert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120521/f22107ce/attachment-0002.html>

More information about the Oisf-users mailing list