[Oisf-users] suricata stops working

[Peter Manev]

> On 21 jul 2015, at 15:53, Pedro Neves <pmneves at gmail.com> wrote:
> 
> Hi,
> 
> I am new to Suricata.
> My server info:
> VM Guest (using VirtualBox 5.0) with 1Gb Ram
>  Ubuntu server 14.04
>  Suricata (2.0.8)
> 
> It worked fine until yesterday.
> Now it stoped working a few seconds after I run it.
> By stop working I mean:
>  - stops logging to fast.log
>  - on the stats.log I can see that almost every variable freezes (is the same over time)
>     decoder.pkts
>     decoder.bytes
>     ...
> 
> This happens with pcap live mode and pf_ring (installed to check if it would solve the problem)
>    LD_LIBRARY_PATH=/usr/local/lib        /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 -v --init-errors-fatal   # default mode
> 
>    LD_LIBRARY_PATH=/usr/local/pfring/lib /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow --runmode=autofp -v --init-errors-fatal   # pf_ring
> 
> 
> When I kill the suricata process I get:
>  19/7/2015 -- 07:36:07 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RxPcapeth01".  Killing engine
> 
> I get "RxPFR1" or "RxPcapeth01" depending if I am running in pf_ring mode or not.
> 
> When Suricata stops working, I can see traffic on the card using tcpdump "tcpdump -nni eth0 icmp".
> 
> 
> I would appreciate any help.
> Thanks,
> 


Do you by any chance hit the swap ?

This looks strange - for 5hrs your stats seem very low..... How much traffic are you inspecting ?



> Pedro
> <statslog.txt>
> <suricata_build-info_config.txt>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net