[Oisf-users] Crash for illegal instruction

tidy at holonetsecurity.com tidy at holonetsecurity.com
Wed May 3 05:07:27 UTC 2017 

Vito,
	Thanks. I knew these two host Instructions have some difference before.  By my understanding,  Suricata has provided gcc-march-native disable feature. it will hide these difference if i disable march native, but it doesnโ€™t work at all to me. Hyperscan provides a solution to avoid  instruction sets difference not sure if Suricata can hidden it to developer. 
       
	Would like to know if there is any solution.

Thanks.
-Tidy


> On May 2, 2017, at 7:54 PM, vpiserchia at gmail.com wrote:
> 
> 
> Hello,
> 
> I have seen this problems already using virtualized buildhost.
> I suggest you to check the availability of the instruction set used on the VM (Host A) and the one on the target machine (Host B).
> 
> For example on Host A:
> 
> gcc -march=native -Q --help=target | grep enabled
> 
> On host B:
> 
> grep flags  /proc/cpuinfo
> 
> In this way you shold be able to figure out where is the mismatch
> 
> regards
> vito
> 
> On 05/02/2017 10:14 AM, tidy at holonetsecurity.com wrote:
>> Yes, I Have disabled the option and you can find that from my build-info, the binary libhtp has no diff in both host.
>> 
>>>> GCC march native enabled:                no
>> 
>> 
>>>> compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23
>> 
>> 	double running the whole steps again and get the same coredump.
>> 
>> -Tidy
>> 
>> 
>>> On May 2, 2017, at 3:53 PM, Jozef Mlich <jozef.mlich at greycortex.com> wrote:
>>> 
>>> On Tue, 2017-05-02 at 15:38 +0800, tidy at holonetsecurity.com wrote:
>>> 
>>> Use "./configure --disable-gccmarch-native" if you are building on
>>> other host. 
>>> 
>>> I can see that you are using --enable-non-bundled-htp. Make sure that
>>> you are using same version of libhtp.
>>> 
>>>> Oddly, Iโ€™ve built in Physical host A and then running in another host
>>>> B, it crashed when runs in host B, Any body know whats 
>>>> 
>>>> [Thread debugging using libthread_db enabled]
>>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>>> Core was generated by `./suricata -c /etc/suricata/suricata.yaml -i
>>>> eth0'.
>>>> Program terminated with signal 4, Illegal instruction.
>>>> #0  0x00000000004500d6 in HTPRegisterPatternsForProtocolDetection ()
>>>> at app-layer-htp.c:2741
>>>> 2741	app-layer-htp.c: No such file or directory.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> [root@ ~]# ./suricata --build-info
>>>> This is Suricata version 3.2dev
>>>> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
>>>> HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT
>>>> HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC 
>>>> SIMD support: none
>>>> Atomic intrisics: 1 2 4 8 byte(s)
>>>> 64-bits, Little-endian architecture
>>>> GCC version 4.8.5 20150623 (Red Hat 4.8.5-11), C version 199901
>>>> compiled with _FORTIFY_SOURCE=0
>>>> L1 cache line size (CLS)=64
>>>> thread local storage method: __thread
>>>> compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23
>>>> 
>>>> Suricata Configuration:
>>>>  AF_PACKET support:                       yes
>>>>  PF_RING support:                         no
>>>>  NFQueue support:                         no
>>>>  NFLOG support:                           no
>>>>  IPFW support:                            no
>>>>  Netmap support:                          no
>>>>  DAG enabled:                             no
>>>>  Napatech enabled:                        no
>>>> 
>>>>  Unix socket enabled:                     yes
>>>>  Detection enabled:                       yes
>>>> 
>>>>  Libmagic support:                        yes
>>>>  libnss support:                          yes
>>>>  libnspr support:                         yes
>>>>  libjansson support:                      yes
>>>>  hiredis support:                         yes
>>>>  Prelude support:                         no
>>>>  PCRE jit:                                yes
>>>>  LUA support:                             yes
>>>>  libluajit:                               no
>>>>  libgeoip:                                no
>>>>  Non-bundled htp:                         yes
>>>>  Old barnyard2 support:                   no
>>>>  CUDA enabled:                            no
>>>>  Hyperscan support:                       yes
>>>>  Libnet support:                          no
>>>> 
>>>>  Suricatasc install:                      yes
>>>> 
>>>>  Profiling enabled:                       no
>>>>  Profiling locks enabled:                 no
>>>> 
>>>> Development settings:
>>>>  Coccinelle / spatch:                     no
>>>>  Unit tests enabled:                      no
>>>>  Debug output enabled:                    no
>>>>  Debug validation enabled:                no
>>>> 
>>>> Generic build parameters:
>>>>  Installation prefix:                     /usr/local/
>>>>  Configuration directory:                 /usr/local/etc/suricata/
>>>>  Log directory:                          
>>>> /usr/local/var/log/suricata/
>>>> 
>>>>  --prefix                                 /usr/local/
>>>>  --sysconfdir                             /usr/local/etc
>>>>  --localstatedir                          /usr/local/var
>>>> 
>>>>  Host:                                    x86_64-unknown-linux-gnu
>>>>  Compiler:                                gcc (exec name) / gcc
>>>> (real)
>>>>  GCC Protect enabled:                     no
>>>>  GCC march native enabled:                no
>>>>  GCC Profile enabled:                     no
>>>>  Position Independent Executable enabled: no
>>>>  CFLAGS                                   -g -O2
>>>>  PCAP_CFLAGS                               -I/usr/local/deps/include
>>>>  SECCFLAGS                                
>>>> 
>>>> 
>>>> Thanks,
>>>> -Tidy
>>>> 
>>>>> On Apr 22, 2017, at 6:27 AM, Tom DeCanio <decanio.tom at gmail.com>
>>>>> wrote:
>>>>> 
>>>>> I've seen illegal instruction crashes in the pcre library on some
>>>>> VMs.  This sounds similar to your description.
>>>>> 
>>>> 
>>>> 
>>> -- 
>>> Jozef Mlich <jozef.mlich at greycortex.com>
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
> 
> 
> -- 
> Vito Piserchia
> Security and Software Engineer
> 
> ๐Ÿ–‚: vito (dot) piserchia (at) dreamlab (dot) net
> ๐Ÿ”’: 4915 8835 2C18 9CAE F14F 2314 613D 51C5 106B 83EA
> ๐Ÿ•พ: +41 31 398 66 66
> ๐Ÿ–ท: +41 31 398 66 69
> -----------------------------------------
> 
> DreamLab Technologies AG
> Monbijoustrasse 36
> 3011 Bern, Switzerland
> 
> ---------------------------------------------------------------------
> 
> This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail
> in error) please notify the sender immediately and destroy this
> e-mail. Any unauthorised copying, disclosure or distribution of the
> material in this e-mail is strictly forbidden.
> 
> ---------------------------------------------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list