[Oisf-users] Suricata can trigger a crash in recent kernel

Eric Leblond eric at regit.org
Tue Nov 6 15:08:39 UTC 2012


I would like to warn users that:
      * run Suricata in AF_PACKET mode AND
      * are using multiple capture threads per-interface
There is a recently introduced bug in AF_PACKET kernel code. If packet
fanout is used (multiple capture threads), then a oops can occur leading
to a crashed dead box.

The problem is kernel side and there is no way to fix it from userspace.
So the only ways to fix the issue are:
      * Use a non vulnerable kernel (older)
      * Use only one capture thread but this will degrade performance
      * Fallback to another capture method
      * Patch kernel with

Some info about tested kernels:
      * Vanilla kernel 3.6 and 3.7 are vulnerable
      * Ubuntu 12.04 and ubuntu 12.10 default kernels are vulnerable
      * Debian kernels seem not to be.

Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121106/5045ec75/attachment.pgp>

More information about the Oisf-users mailing list