OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ruggerio on July 16, 2018, 07:11:36 am

Title: suricata Kernel crashes since update
Post by: ruggerio on July 16, 2018, 07:11:36 am

Hi,

Since update to RC1, Suricata crashes few minutes after restart.

Logs show Kernel crash. Suricata-Log just show up the start of itself

System-Log:

Jul 15 12:21:08
kernel: [HBSD SEGVGUARD] [suricata (70918)] Suspension expired.
Jul 15 12:21:08
kernel: pid 70918 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:17:20
kernel: [HBSD SEGVGUARD] [suricata (94460)] Suspension expired.
Jul 15 12:17:20
kernel: pid 94460 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:13:23
kernel: pid 20596 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:09:30
kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (20591)] Suspension expired.
Jul 15 11:52:43
kernel: pid 11110 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 11:48:33
kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (10899)] Suspension expired.
Jul 15 02:05:40
kernel: pid 96244 (suricata), uid 0: exited on signal 6 (core dumped)

Found more information:


kernel: -> pid: 70918 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 15 12:17:20
kernel: -> pid: 94460 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>

any hint? or a bug?

Thx,
Roger

Title: Re: suricata Kernel crashes since update
Post by: crt333 on July 16, 2018, 11:33:29 pm

I reported the same thing on the 18.1.12 update.

Title: Re: suricata Kernel crashes since update
Post by: franco on July 19, 2018, 12:05:55 am

The timing with 18.1.12 or 18.7-RC1 should be purely coincidental as Suricata hasn't been touched in a long time in 18.1 and has no changes in 18.7 either. Tomorrows 18.7-RC2 will, however, ship today's security release of Suricata 4.0.5 which has several CVEs that could be part of the crashes seen in the wild.


Cheers,
Franco

Title: Re: suricata Kernel crashes since update
Post by: bob.rjk on July 19, 2018, 12:15:01 pm

Quote from: crt333 on July 16, 2018, 11:33:29 pm

I reported the same thing on the 18.1.12 update.

I had the same after updating to 18.1.12 and found changing Pattern matcher to Aho-Corasick solved the problem.

Title: Re: suricata Kernel crashes since update
Post by: franco on July 19, 2018, 05:36:32 pm

In light of people reporting the same problems and 4.0.5 not helping but not using Hyperscan does it's a rule pattern causing this, probably ultimately exposing a Hyperscan bug.


Cheers,
Franco

Title: Re: suricata Kernel crashes since update
Post by: codera on January 01, 2019, 06:32:02 pm

Using OPNsense 18.7.9-amd64 and i can confirm, that the same bug still exists with Hyperscan.

As i can see, that even the latest version is using still suricata 4.0.6 version, but the latest stable is    4.1.2.
Are there any plans on upgrade?

EDIT: as found from here, fix is to disable "abuse.ch/URLhaus" rule:

https://forum.opnsense.org/index.php?topic=9164.30

EDIT: fix was temporarly, still Surricata crashes:
(suricata), uid 0: exited on signal 6 (core dumped)

Title: Re: suricata Kernel crashes since update
Post by: mimugmail on January 01, 2019, 07:12:04 pm

Can you check via CLI if the rule file is still in rules folder?