[Oisf-users] on upgrade to suricata 3.0 illegal instruction message

Jason Taylor jtfas90 at gmail.com
Tue Feb 23 14:52:39 UTC 2016

Hi All,

We have successfully migrated 3.0RCx boxes to 3.0 (via rpm) and we are
using the rpm on new deployments with no issues.

That being said, when we are upgrading sensors from 2.1beta3 to 3.0GA
we are running into the following:

suricata -c /etc/nsm/testsense/suricata.yaml --af-packet=bond0
23/2/2016 -- 14:42:00 - <Notice> - This is Suricata version 3.0 RELEASE
23/2/2016 -- 14:42:00 - <Info> - CPUs/cores online: 40
Illegal instruction

gdb reveals:
Program received signal SIGILL, Illegal instruction.
0x0000555555585a56 in HTPRegisterPatternsForProtocolDetection () at
2729                        ALPROTO_HTTP, method_buffer,
strlen(method_buffer)-3, 0, STREAM_TOSERVER);

from app-layer-htp.c:2729
            register_result =
                    ALPROTO_HTTP, method_buffer,
strlen(method_buffer)-3, 0, STREAM_TOSERVER);
            if (register_result < 0) {
                return -1;

The spec file that builds the 3.0 rpm does the following:

%configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
--localstatedir=%{_localstatedir} --enable-af-packet
--enable-gccprotect --enable-unix-socket --enable-pie

make %{?_smp_mflags}

make DESTDIR="%{buildroot}" "bindir=%{_sbindir}" install

$(which suricata) -V
This is Suricata version 3.0 RELEASE

$ ldd $(which suricata)
    linux-vdso.so.1 =>  (0x00007fff7c73a000)
    libhtp-0.5.18.so.1 => /lib64/libhtp-0.5.18.so.1 (0x00007f95dc9ba000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f95dc7a4000)
    libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f95dc587000)
    libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f95dc382000)
    libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f95dc141000)
    libnet.so.1 => /lib64/libnet.so.1 (0x00007f95dbf26000)
    libjansson.so.4 => /lib64/libjansson.so.4 (0x00007f95dbd1a000)
    libyaml-0.so.2 => /lib64/libyaml-0.so.2 (0x00007f95dbafa000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f95db898000)
    libssl3.so => /lib64/libssl3.so (0x00007f95db65a000)
    libsmime3.so => /lib64/libsmime3.so (0x00007f95db433000)
    libnss3.so => /lib64/libnss3.so (0x00007f95db10d000)
    libnssutil3.so => /lib64/libnssutil3.so (0x00007f95daee1000)
    libplds4.so => /lib64/libplds4.so (0x00007f95dacdd000)
    libplc4.so => /lib64/libplc4.so (0x00007f95daad7000)
    libnspr4.so => /lib64/libnspr4.so (0x00007f95da899000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f95da67d000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f95da478000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f95da0b7000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f95dd058000)
    librt.so.1 => /lib64/librt.so.1 (0x00007f95d9eae000)

the upgrade process has so far been:
- suricata processes are all stopped
- make uninstall is run from the original source version suricata installed
- yum install suricata 3.0 rpm

thanks in advance for any help.


More information about the Oisf-users mailing list