[Oisf-users] Crash in 4.0.5 when receiving packets

Fri Aug 3 01:19:29 UTC 2018

I am running in IDS mode. OS version still 14.04.

It started yesterday (2 Aug) after running "soup".

This is the update log starting from yesterday:

/var/log# cat dpkg.log
2018-08-02 00:01:31 startup archives unpack
2018-08-02 00:01:34 upgrade libjansson4:amd64 2.5-2 2.5-2ubuntu0.1
2018-08-02 00:01:34 status half-configured libjansson4:amd64 2.5-2
2018-08-02 00:01:34 status unpacked libjansson4:amd64 2.5-2
2018-08-02 00:01:34 status half-installed libjansson4:amd64 2.5-2
2018-08-02 00:01:34 status half-installed libjansson4:amd64 2.5-2
2018-08-02 00:01:34 status unpacked libjansson4:amd64 2.5-2ubuntu0.1
2018-08-02 00:01:34 status unpacked libjansson4:amd64 2.5-2ubuntu0.1
2018-08-02 00:01:35 startup packages configure
2018-08-02 00:01:35 configure libjansson4:amd64 2.5-2ubuntu0.1 <none>
2018-08-02 00:01:35 status unpacked libjansson4:amd64 2.5-2ubuntu0.1
2018-08-02 00:01:35 status half-configured libjansson4:amd64 2.5-2ubuntu0.1
2018-08-02 00:01:35 status installed libjansson4:amd64 2.5-2ubuntu0.1
2018-08-02 00:01:35 status triggers-pending libc-bin:amd64 2.19-0ubuntu6.14
2018-08-02 00:01:35 trigproc libc-bin:amd64 2.19-0ubuntu6.14 <none>
2018-08-02 00:01:35 status half-configured libc-bin:amd64 2.19-0ubuntu6.14
2018-08-02 00:01:35 status installed libc-bin:amd64 2.19-0ubuntu6.14
2018-08-03 00:09:48 startup archives unpack
2018-08-03 00:09:51 upgrade libjansson4:amd64 2.5-2ubuntu0.1 2.5-2ubuntu0.2
2018-08-03 00:09:51 status half-configured libjansson4:amd64 2.5-2ubuntu0.1
2018-08-03 00:09:51 status unpacked libjansson4:amd64 2.5-2ubuntu0.1
2018-08-03 00:09:51 status half-installed libjansson4:amd64 2.5-2ubuntu0.1
2018-08-03 00:09:51 status half-installed libjansson4:amd64 2.5-2ubuntu0.1
2018-08-03 00:09:51 status unpacked libjansson4:amd64 2.5-2ubuntu0.2
2018-08-03 00:09:51 status unpacked libjansson4:amd64 2.5-2ubuntu0.2
2018-08-03 00:09:51 startup packages configure
2018-08-03 00:09:51 configure libjansson4:amd64 2.5-2ubuntu0.2 <none>
2018-08-03 00:09:51 status unpacked libjansson4:amd64 2.5-2ubuntu0.2
2018-08-03 00:09:51 status half-configured libjansson4:amd64 2.5-2ubuntu0.2
2018-08-03 00:09:51 status installed libjansson4:amd64 2.5-2ubuntu0.2
2018-08-03 00:09:51 status triggers-pending libc-bin:amd64 2.19-0ubuntu6.14
2018-08-03 00:09:52 trigproc libc-bin:amd64 2.19-0ubuntu6.14 <none>
2018-08-03 00:09:52 status half-configured libc-bin:amd64 2.19-0ubuntu6.14
2018-08-03 00:09:52 status installed libc-bin:amd64 2.19-0ubuntu6.14

________________________________
From: Peter Manev <petermanev at gmail.com>
Sent: Friday, August 3, 2018 11:04 AM
To: Serge Malev
Cc: Peter Fyon; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Crash in 4.0.5 when receiving packets

On 3 Aug 2018, at 01:26, Serge Malev <smalev at hotmail.com<mailto:smalev at hotmail.com>> wrote:

I am having the same problem. Suricata tries to restart every 5 minutes and crashes with the same error.

Hi,

Are you using IDS or IPS mode?

Thank you

________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> on behalf of Peter Fyon <peter.fyon at gmail.com<mailto:peter.fyon at gmail.com>>
Sent: Friday, August 3, 2018 8:56 AM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Crash in 4.0.5 when receiving packets

Hey suricata users,

I upgraded suricata from 4.0.4 to 4.0.5 using the ppa last night and now suricata crashes when it (presumably) receives its first packet. I say presumably because if I physically bypass suricata, it doesn't crash. When I put it back inline, it crashes.

When I start it with:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vvv

It dies and spits the following to stdout:
suricata: dump.c:337: do_dump: Assertion `value' failed.

Nothing has changed in my config between 4.0.4 and 4.0.5.

Peter
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org&data=02%7C01%7C%7C65bc788eeb2e421bbc9c08d5f8dd1cee%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636688550914534974&sdata=S%2BAsVIkTEkZJhFvPYFjN42M5BvPwrJYz8%2FuNFLq0cec%3D&reserved=0> | Support: http://suricata-ids.org/support/<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org%2Fsupport%2F&data=02%7C01%7C%7C65bc788eeb2e421bbc9c08d5f8dd1cee%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636688550914534974&sdata=ZT8eK%2FuYJuySFdArAbyu08L3WS68Ok9RjGuVru8FcQ8%3D&reserved=0>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openinfosecfoundation.org%2Fmailman%2Flistinfo%2Foisf-users&data=02%7C01%7C%7C65bc788eeb2e421bbc9c08d5f8dd1cee%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636688550914534974&sdata=lgCKe6eA%2BllAYg2pXO%2BArHGq7p%2Bqc%2BOUehdf7sxQZro%3D&reserved=0>

Conference: https://suricon.net<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricon.net&data=02%7C01%7C%7C65bc788eeb2e421bbc9c08d5f8dd1cee%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636688550914534974&sdata=42VoC3mZxrI%2FXeV2lDJzn7%2BEILAYuZQDQOkM9pGFjTI%3D&reserved=0>
Trainings: https://suricata-ids.org/training/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricata-ids.org%2Ftraining%2F&data=02%7C01%7C%7C65bc788eeb2e421bbc9c08d5f8dd1cee%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636688550914534974&sdata=zYsG50xuh5iucPOH%2FsB5RG8KiXOzEQU%2BMjjymDJXe%2FQ%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180803/c7116adf/attachment-0001.html>