[Oisf-users] vlan on bond if problem

Victor Julien victor at inliniac.net
Mon May 21 14:59:17 UTC 2012 

On 05/21/2012 04:50 PM, Geert Alberghs wrote:
> Hello,
> 
> when using the following command to launch suricata:
> 
> *exec suricata -D --pidfile /var/run/suricata.pid -c
> /etc/suricata/suricata.yaml -i bond0 -i vlan411 "not vlan"*
> 
> Suricata starts normally, analyses the rules, loads them etc. But a few
> moments after this the process stops without any notification in
> suricata.log.
> 
> When the same command is launched but without the vlan interfaces,
> everything works fine. Is there a multi-interfaces problem or a vlan
> untagging problem, I don't know.
> 
> The reason why the vlan's are used is because of mirroring limitations
> in a particular switch: all incoming traffic on the mirror port is in
> the default vlan, all outgoing in vlan 411.
> 
> gdb output for *suricata -c /etc/suricata/suricata.yaml -i bond0 -i
> vlan411 "not vlan"*:
> 
> 21/5/2012 -- 15:54:48 - <Info> - 15 rule files processed. 41435 rules
> succesfully loaded, 0 rules failed
> 21/5/2012 -- 15:56:45 - <Info> - 42631 signatures processed. 1809 are
> IP-only rules, 37788 are inspecting packet payload, 13120 inspect
> application layer, 0 are decoder event only
> 21/5/2012 -- 15:56:45 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 21/5/2012 -- 15:56:50 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 21/5/2012 -- 15:56:55 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 21/5/2012 -- 15:57:10 - <Info> - Threshold config parsed: 5 rule(s) found
> 21/5/2012 -- 15:57:10 - <Info> - Core dump size set to unlimited.
> 21/5/2012 -- 15:57:10 - <Info> - fast output device (regular)
> initialized: fast.log
> 21/5/2012 -- 15:57:10 - <Info> - Unified2-alert initialized: filename
> unified2.alert, limit 32 MB
> 21/5/2012 -- 15:57:10 - <Info> - http-log output device (regular)
> initialized: http.log
> 21/5/2012 -- 15:57:10 - <Info> - Using 2 live device(s).
> 21/5/2012 -- 15:57:10 - <Info> - BPF filter set from command line or via
> old 'bpf-filter' option.
> [New Thread 0x7ffff636c700 (LWP 9636)]
> 21/5/2012 -- 15:57:10 - <Info> - BPF filter set from command line or via
> old 'bpf-filter' option.
> 21/5/2012 -- 15:57:10 - <Info> - using interface bond0
> 21/5/2012 -- 15:57:10 - <Info> - Running in 'auto' checksum mode.
> Detection of interface state will require 1000 packets.
> [New Thread 0x7ffff5b6b700 (LWP 9637)]
> 21/5/2012 -- 15:57:10 - <Info> - using interface vlan411
> 21/5/2012 -- 15:57:10 - <Info> - Running in 'auto' checksum mode.
> Detection of interface state will require 1000 packets.
> [New Thread 0x7ffff536a700 (LWP 9638)]
> [New Thread 0x7ffff4b69700 (LWP 9640)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7ffff4b69700 (LWP 9640)]
> 0x00007ffff69c06da in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> (gdb) btµ
> Invalid character '�' in expression.
> (gdb) bt
> #0  0x00007ffff69c06da in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #1  0x00007ffff69c1f72 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #2  0x00007ffff69c4e1e in malloc () from /lib/x86_64-linux-gnu/libc.so.6
> #3  0x00000000004fd054 in PmqSetup ()
> #4  0x00000000004402e8 in DetectEngineThreadCtxInit ()
> #5  0x0000000000435b17 in DetectThreadInit ()
> #6  0x000000000056d1ed in TmThreadsSlot1 ()
> #7  0x00007ffff713fd8c in start_thread () from
> /lib/x86_64-linux-gnu/libpthread.so.0
> #8  0x00007ffff6a2ec2d in clone () from /lib/x86_64-linux-gnu/libc.so.6
> #9  0x0000000000000000 in ?? ()
> 
> Any idea where the problem might reside? 

The segv is in the per detection thread set up code. It may be related
to the high number of rules you run. Could you try running without rules
just to test?

suricata -c /etc/suricata/suricata.yaml -S /dev/null -i bond0 -i vlan411
"not vlan

-S overrides the rule files from the yaml, in this case it loads
dev/null which means it loads no rules.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list