[Oisf-users] Suricata 3.2 segmentation fault

Vieri rentorbuy at yahoo.com
Fri Dec 16 22:48:56 UTC 2016





----- Original Message -----
> From: Victor Julien <lists at inliniac.net>
> Can you describe the setup a bit more? Config, which rules, etc? Is the
> system using all memory or just a small portion, things like that.

I recompiled suricata with debug enabled:

# suricata --build-info
This is Suricata version 3.2 RELEASE
Features: DEBUG NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS 
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
32-bits, Little-endian architecture
GCC version 4.7.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22

Suricata Configuration:
AF_PACKET support:                       yes
PF_RING support:                         no
NFQueue support:                         yes
NFLOG support:                           no
IPFW support:                            no
Netmap support:                          no
DAG enabled:                             no
Napatech enabled:                        no

Unix socket enabled:                     yes
Detection enabled:                       yes

libnss support:                          yes
libnspr support:                         yes
libjansson support:                      yes
hiredis support:                         no
Prelude support:                         no
PCRE jit:                                no, libpcre 8.35 blacklisted
LUA support:                             yes
libluajit:                               no
libgeoip:                                no
Non-bundled htp:                         yes
Old barnyard2 support:                   no
CUDA enabled:                            no
Hyperscan support:                       no
Libnet support:                          yes

Suricatasc install:                      yes

Profiling enabled:                       no
Profiling locks enabled:                 no

Development settings:
Coccinelle / spatch:                     no
Unit tests enabled:                      no
Debug output enabled:                    yes
Debug validation enabled:                no

Generic build parameters:
Installation prefix:                     /usr
Configuration directory:                 /etc/suricata/
Log directory:                           /var/log/suricata/

--prefix                                 /usr
--sysconfdir                             /etc
--localstatedir                          /var

Host:                                    i686-pc-linux-gnu
Compiler:                                i686-pc-linux-gnu-gcc (exec name) / gcc (real)
GCC Protect enabled:                     yes
GCC march native enabled:                yes
GCC Profile enabled:                     no
Position Independent Executable enabled: no
CFLAGS                                   -ggdb -O0 -march=native
PCAP_CFLAGS                               -I/usr/include
SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

However, now I CANNOT reproduce the crash anymore.

So it could be a CFLAGS optimization issue.

I'll recompile as it was before so I can see which CFLAGS were set.

In the meantime and if it's worth anything, here's my yaml file:

%YAML 1.1
---
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "[10.215.144.66,10.215.144.91,10.215.144.92]"
SMTP_SERVERS: "[10.215.144.91,10.215.144.92,10.215.144.16,10.215.144.21]"
SQL_SERVERS: "[10.215.144.53,10.215.144.91,10.215.144.92]"
DNS_SERVERS: "[10.215.144.91,10.215.144.92,10.215.144.35,10.215.144.31]"
TELNET_SERVERS: "10.215.144.92,10.215.144.91"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
default-rule-path: /etc/suricata/rules
rule-files:
- botcc.rules
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-ftp.rules
- emerging-imap.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
- emerging-scada.rules
- emerging-scan.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
- emerging-worm.rules
- tor.rules
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
default-log-dir: /var/log/suricata/
stats:
enabled: yes
interval: 8
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: no
filename: eve.json
types:
- alert:
tagged-packets: yes
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- http:
- dns:
- tls:
- files:
- smtp:
- ssh
- stats:
- flow
- unified2-alert:
enabled: no
filename: unified2.alert
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
append: yes
- tls-store:
enabled: no
- dns-log:
enabled: no
filename: dns.log
append: yes
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: yes
filename: stats.log
- syslog:
enabled: no
facility: local5
- drop:
enabled: yes
filename: drop.log
append: yes
- file-store:
- file-log:
enabled: no
filename: files-json.log
append: yes
- tcp-data:
enabled: no
type: file
filename: tcp-data.log
- http-body-data:
enabled: no
type: file
filename: http-data.log
- lua:
enabled: no
scripts:
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: /var/log/suricata/q0/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
- interface: default
pcap:
- interface: eth0
- interface: default
pcap-file:
checksum-checks: auto
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
body-md5: no
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100kb
response-body-limit: 100kb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
double-decode-path: no
double-decode-query: no
server-config:
modbus:
enabled: no
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: no
detection-ports:
dp: 20000
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
asn1-max-frames: 256
coredump:
max-dump: unlimited
host-mode: auto
unix-command:
enabled: auto
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
defrag:
memcap: 32mb
hash-size: 65536
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 64mb
reassembly:
memcap: 256mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
- receive-cpu-set:
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
detect-thread-ratio: 1.0
luajit:
states: 128
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
json: yes
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
rulegroups:
enabled: yes
filename: rule_group_perf.log
append: yes
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
netmap:
- interface: eth2
- interface: default
pfring:
- interface: eth0
threads: 1
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]
mpipe:
load-balance: dynamic
iqueue-packets: 2048
inputs:
- interface: xgbe2
- interface: xgbe3
- interface: xgbe4
stack:
size128: 0
size256: 9
size512: 0
size1024: 0
size1664: 7
size4096: 0
size10386: 0
size16384: 0
cuda:
mpm:
data-buffer-size-min-limit: 0
data-buffer-size-max-limit: 1500
cudabuffer-buffer-size: 500mb
gpu-transfer-size: 50mb
batching-timeout: 2000
device-id: 0
cuda-streams: 2

The *.rules files haven't been changed except for the fact that some "alert" actions have been replaced by "drop".


17%-25% mem for each suricata process (there are 2, in IPS mode nfqueues 0 and 1).
Between 4 and 20% CPU for each process.


Vieri



More information about the Oisf-users mailing list