[Oisf-users] Suricata process goes down from time to time

C. L. Martinez carlopmart at gmail.com
Wed Jun 12 05:51:30 UTC 2013 

On Mon, Jun 10, 2013 at 7:53 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> On Mon, Jun 10, 2013 at 7:47 AM, Victor Julien <lists at inliniac.net> wrote:
>> On 06/10/2013 09:38 AM, C. L. Martinez wrote:
>>> On Mon, Jun 10, 2013 at 7:38 AM, Peter Manev <petermanev at gmail.com> wrote:
>>>> On Mon, Jun 10, 2013 at 9:36 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
>>>>> Hi all,
>>>>>
>>>>>  I have installed Suricata 1.4.2 in an OpenBSD 5.3 amd64 host. From
>>>>> time to time, suricata goes down and I suspect that the problem maybe
>>>>> is with memcap options but I am not to be sure.
>>>>>
>>>>>  It doesn't produces any core dump, only goes down ... How can I debug this??
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
>>>>
>>>> Hi ,
>>>>
>>>> What do you mean "goes down" - stops/exits?
>>>>
>>>> thanks
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>
>>> stops ... and no log error is produced ...
>>
>> The first thing I'd check if there is anything logged in the system
>> logs. In Linux a crashing program is often logged in dmesg for example,
>> maybe openbsd does something similar?
>>
>> Also, try not daemonizing suricata, but run it in the foreground. Then
>> you'll see if suri prints some error.
>>


Uhmm .. this is really strange. After running suricata without
daemonizing over 46 hours:

root at nsm01:/etc/monit.d# suricata -c
/data/config/etc/idpsuricata02/suricata.yaml -i em5 -F
/data/config/etc/bpf/proxy_out.conf
10/6/2013 -- 07:57:19 - <Info> - This is Suricata version 1.4.2 RELEASE
10/6/2013 -- 07:57:19 - <Info> - CPUs/cores online: 1
10/6/2013 -- 07:57:19 - <Info> - Live rule reloads enabled
10/6/2013 -- 07:57:19 - <Info> - Found an MTU of 1500 for 'em5'
^Croot at nsm01:/etc/monit.d# date
Wed Jun 12 05:48:41 UTC 2013
root at plzfnsm01:/etc/monit.d#

and:

10/6/2013 -- 07:58:15 - <Info> - all 2 packet processing threads, 3
management threads initialized, engine started.
10/6/2013 -- 07:58:15 - <Info> - No packets with invalid checksum,
assuming checksum offloading is NOT used
11/6/2013 -- 03:28:11 - <Info> - ===== Starting live rule swap
triggered by user signal USR2 =====
11/6/2013 -- 03:28:11 - <Info> - IP reputation disabled
11/6/2013 -- 03:28:22 - <Info> - 22 rule files processed. 10964 rules
successfully loaded, 0 rules failed
11/6/2013 -- 03:29:26 - <Info> - 10971 signatures processed. 163 are
IP-only rules, 2768 are inspecting packet payload, 9753 inspect
application layer, 0 are decoder event only
11/6/2013 -- 03:29:26 - <Info> - building signature grouping
structure, stage 1: adding signatures to signature source addresses...
complete
11/6/2013 -- 03:29:27 - <Info> - building signature grouping
structure, stage 2: building source address list... complete
11/6/2013 -- 03:29:30 - <Info> - building signature grouping
structure, stage 3: building destination address lists... complete
11/6/2013 -- 03:29:33 - <Info> - Threshold config parsed: 1 rule(s) found
11/6/2013 -- 03:29:34 - <Info> - Live rule swap has swapped 1 old
det_ctx's with new ones, along with the new de_ctx
11/6/2013 -- 03:29:34 - <Info> - cleaning up signature grouping
structure... complete
11/6/2013 -- 03:29:34 - <Info> - ===== Live rule swap DONE =====
12/6/2013 -- 05:48:29 - <Info> - Signal Received.  Stopping engine.
12/6/2013 -- 05:48:29 - <Info> - 0 new flows, 0 established flows were
timed out, 0 flows in closed state
12/6/2013 -- 05:48:29 - <Info> - time elapsed 165014.125s
12/6/2013 -- 05:48:29 - <Info> - (RxPcapem51) Packets 57116798, bytes
43704444054
12/6/2013 -- 05:48:29 - <Info> - (RxPcapem51) Pcap Total:2865454711
Recv:2864974990 Drop:479721 (0.0%).
12/6/2013 -- 05:48:29 - <Info> - AutoFP - Total flow handler queues - 1
12/6/2013 -- 05:48:29 - <Info> - AutoFP - Queue 0  - pkts: 57350109
 flows: 316121
12/6/2013 -- 05:48:29 - <Info> - Stream TCP processed 57349075 TCP packets
12/6/2013 -- 05:48:29 - <Info> - Fast log output wrote 118 alerts
12/6/2013 -- 05:48:29 - <Info> - Alert unified2 module wrote 118 alerts
12/6/2013 -- 05:48:29 - <Info> - TLS logger logged 41190 requests
12/6/2013 -- 05:48:29 - <Info> - host memory usage: 194304 bytes,
maximum: 16777216
12/6/2013 -- 05:48:29 - <Info> - cleaning up signature grouping
structure... complete

suricata process doesn't stops ... It seems the problem only appears
when I run suricata in daemonized mode ...

Is this possible??

More information about the Oisf-users mailing list