[Oisf-users] suricata unexpectedly exiting

David Mandelberg david at mandelberg.org
Tue Sep 3 23:27:33 UTC 2013 

Hi,

When I try to run suricata, it quits unexpectedly after a few minutes 
with a return code of 132. My suricata.yaml is attached, and the output 
is below. Is this a bug or am I doing something wrong?

$ time sudo suricata --user root --group root -c 
/usr/local/etc/suricata/suricata.yaml --pcap; echo $?
[5900] 3/9/2013 -- 16:17:42 - (suricata.c:1282) <Info> (main) -- This 
is Suricata version 2.0dev (rev c2de86e)
[5900] 3/9/2013 -- 16:17:42 - (util-cpu.c:166) <Info> 
(UtilCpuPrintSummary) -- CPUs/cores online: 4
[5900] 3/9/2013 -- 16:17:42 - (util-ioctl.c:85) <Info> (GetIfaceMTU) -- 
Failure when trying to get MTU via ioctl: 19
[5900] 3/9/2013 -- 16:17:42 - (defrag-hash.c:203) <Info> 
(DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag 
hash... 65536 buckets of size 56
[5900] 3/9/2013 -- 16:17:42 - (defrag-hash.c:228) <Info> 
(DefragInitConfig) -- preallocated 65535 defrag trackers of size 144
[5900] 3/9/2013 -- 16:17:42 - (defrag-hash.c:235) <Info> 
(DefragInitConfig) -- defrag memory usage: 13107056 bytes, maximum: 
33554432
[5900] 3/9/2013 -- 16:17:42 - (tmqh-flow.c:76) <Info> 
(TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow 
load balancer
[5900] 3/9/2013 -- 16:17:42 - (tmqh-packetpool.c:131) <Info> 
(PacketPoolInit) -- preallocated 5000 packets. Total memory 21290000
[5900] 3/9/2013 -- 16:17:42 - (host.c:204) <Info> (HostInitConfig) -- 
allocated 229376 bytes of memory for the host hash... 4096 buckets of 
size 56
[5900] 3/9/2013 -- 16:17:42 - (host.c:227) <Info> (HostInitConfig) -- 
preallocated 1000 hosts of size 120
[5900] 3/9/2013 -- 16:17:42 - (host.c:229) <Info> (HostInitConfig) -- 
host memory usage: 349376 bytes, maximum: 16777216
[5900] 3/9/2013 -- 16:17:42 - (flow.c:412) <Info> (FlowInitConfig) -- 
allocated 3670016 bytes of memory for the flow hash... 65536 buckets of 
size 56
[5900] 3/9/2013 -- 16:17:42 - (flow.c:436) <Info> (FlowInitConfig) -- 
preallocated 10000 flows of size 272
[5900] 3/9/2013 -- 16:17:42 - (flow.c:438) <Info> (FlowInitConfig) -- 
flow memory usage: 6390016 bytes, maximum: 33554432
[5900] 3/9/2013 -- 16:17:42 - (reputation.c:442) <Info> (SRepInit) -- 
IP reputation disabled
[5900] 3/9/2013 -- 16:17:42 - (util-magic.c:61) <Info> (MagicInit) -- 
using magic-file /usr/share/file/magic
[5900] 3/9/2013 -- 16:17:42 - (suricata.c:1859) <Info> (main) -- 
Delayed detect disabled
[5900] 3/9/2013 -- 16:17:42 - (detect.c:301) <Error> 
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening 
rule file /usr/local/etc/suricata/rules/dns-events.rules: No such file 
or directory.
[5900] 3/9/2013 -- 16:17:42 - (detect.c:456) <Info> (SigLoadSignatures) 
-- 6 rule files processed. 215 rules successfully loaded, 0 rules failed
[5900] 3/9/2013 -- 16:17:42 - (detect.c:2727) <Info> 
(SigAddressPrepareStage1) -- 219 signatures processed. 8 are IP-only 
rules, 0 are inspecting packet payload, 35 inspect application layer, 90 
are decoder event only
[5900] 3/9/2013 -- 16:17:42 - (detect.c:2730) <Info> 
(SigAddressPrepareStage1) -- building signature grouping structure, 
stage 1: adding signatures to signature source addresses... complete
[5900] 3/9/2013 -- 16:17:42 - (detect.c:3356) <Info> 
(SigAddressPrepareStage2) -- building signature grouping structure, 
stage 2: building source address list... complete
[5900] 3/9/2013 -- 16:17:42 - (detect.c:3998) <Info> 
(SigAddressPrepareStage3) -- building signature grouping structure, 
stage 3: building destination address lists... complete
[5900] 3/9/2013 -- 16:17:42 - (util-threshold-config.c:983) <Info> 
(SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[5900] 3/9/2013 -- 16:17:42 - (util-coredump-config.c:122) <Info> 
(CoredumpLoadConfig) -- Core dump size set to unlimited.
[5900] 3/9/2013 -- 16:17:42 - (util-privs.c:101) <Info> 
(SCDropMainThreadCaps) -- dropped the caps for main thread
[5900] 3/9/2013 -- 16:17:42 - (util-logopenfile.c:169) <Info> 
(SCConfLogOpenGeneric) -- fast output device (regular) initialized: 
fast.log
[5900] 3/9/2013 -- 16:17:42 - (alert-unified2-alert.c:1043) <Info> 
(Unified2AlertInitCtx) -- Unified2-alert initialized: filename 
snort.unified2, limit 32 MB
[5900] 3/9/2013 -- 16:17:42 - (util-logopenfile.c:169) <Info> 
(SCConfLogOpenGeneric) -- drop output device (regular) initialized: 
drop.log
[5900] 3/9/2013 -- 16:17:42 - (util-device.c:147) <Info> 
(LiveBuildDeviceList) -- Adding interface eth1 from config file
[5900] 3/9/2013 -- 16:17:42 - (util-runmodes.c:516) <Info> 
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[5905] 3/9/2013 -- 16:17:42 - (source-pcap.c:392) <Info> 
(ReceivePcapThreadInit) -- using interface eth1
[5905] 3/9/2013 -- 16:17:42 - (source-pcap.c:397) <Info> 
(ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of 
interface state will require 1000 packets.
[5905] 3/9/2013 -- 16:17:42 - (util-ioctl.c:91) <Info> (GetIfaceMTU) -- 
Found an MTU of 1500 for 'eth1'
[5905] 3/9/2013 -- 16:17:42 - (source-pcap.c:432) <Info> 
(ReceivePcapThreadInit) -- Set snaplen to 1500 for 'eth1'
[5900] 3/9/2013 -- 16:17:42 - (runmode-pcap.c:388) <Info> 
(RunModeIdsPcapWorkers) -- RunModeIdsPcapWorkers initialised
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:356) <Info> 
(StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:372) <Info> 
(StreamTcpInitConfig) -- stream "memcap": 33554432
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:378) <Info> 
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:384) <Info> 
(StreamTcpInitConfig) -- stream "async-oneside": disabled
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:401) <Info> 
(StreamTcpInitConfig) -- stream "checksum-validation": enabled
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:423) <Info> 
(StreamTcpInitConfig) -- stream."inline": disabled
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:436) <Info> 
(StreamTcpInitConfig) -- stream "max-synack-queued": 5
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:454) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:472) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:555) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2644
[5900] 3/9/2013 -- 16:17:42 - (stream-tcp.c:557) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2658
[5900] 3/9/2013 -- 16:17:42 - (tm-threads.c:2165) <Info> 
(TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 3 
management threads initialized, engine started.

real	1m36.709s
user	0m1.264s
sys	0m0.092s
132

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: suricata.yaml
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130903/99db6686/attachment.ksh>

More information about the Oisf-users mailing list