[Oisf-users] Suffering Simultaneous Suricata Segfaults
Victor Julien
lists at inliniac.net
Thu Sep 27 05:22:58 UTC 2018
On 26-09-18 18:55, Cloherty, Sean E wrote:
> I was troubleshooting instances of Suricata being down on multiple hosts
> and I found that 2 production hosts running 4.04 and 2 test hosts
> running 4.05 and 4.1rc1 faulted at roughly the same time. Strangely, 2
> additional production hosts running 4.04 on duplicate hardware have not
> had any issues to date. Below is the outline of what I’ve been able to
> put together this morning.
>
>
Did any of the instances dump a core file you can inspect?
Another way to get more info based on the lines you posted is described
here:
https://stackoverflow.com/questions/2549214/interpreting-segfault-messages
could you try to see if you can get more info about where in the code
the crash happens?
>
> What is the same across all platforms faulting or not:
>
>
>
> All use tpacket v3 & AF-PACKET
>
> All use workers mode
>
> All are in IDS mode
>
> All ingest traffic from Gigamon taps
>
> All are running CentOS 7.5 64bit
>
> All use Intel(R) 10GbE PCI Express Linux Network Driver 5.3.7
>
> All use Intel Corporation 82599ES 10-Gigabit SFI/SFP+
>
> What is different:
>
>
>
> NO FAULT: #zero-copy-size: 128
>
> FAULT: zero-copy-size: 128
This option is no longer used by any of the versions you are using.
> NO FAULT:
>
> prio:
>
> # low: [ 0 ]
>
> # medium: [ "1-2" ]
>
> # high: [ 3 ]
>
> default: "high"
>
>
>
> FAULT:
>
> prio:
>
> low: [ 0 ]
>
> medium: [ "1-2" ]
>
> high: [ 3 ]
>
> default: "high"
Would be weird if this did anything.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list