18.1.12 suricata crash

Started by crt333, July 16, 2018, 12:28:51 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
July 16, 2018, 12:28:51 AM
After the latest update suricata is crashing. The dashboard shows that the memory use grows up to about double what it used in 18.1.11 and then it dies. The log shows:

Jul 15 16:23:42   kernel: pid 532 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 16:20:19   kernel: -> pid: 300 ppid: 97610 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 15 16:20:19   kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (300)] Suspension expired.

hardware is a quotom q355g4, using openssl.

restarting it the memory slowly increases and then it crashes again.
July 17, 2018, 10:31:29 AM #1
I see this too, exact same behavior. Other hardware though, Supermicro x10sba J1900.
July 17, 2018, 10:41:29 AM #2
Do you have all rules enabled? Also the app-detect rules?

Can you give us some logs from suricata.log
July 17, 2018, 06:22:01 PM #3
All abuse and ET Open rules enabled.

OPNsense-App-detect/test enabled, other App-detect disabled.

I'd be happy to give you the log file, but don't know how to get it. Can it be accessed from the GUI?
July 17, 2018, 06:23:02 PM #4
Same here on both HA firewalls after update to 18.1.12.
July 17, 2018, 07:47:33 PM #5
Do you have URL haus from abuse enabled? There are two rule errors. Please disable for testing.
July 17, 2018, 08:58:08 PM #6
URL haus from abuse was enabled, so I disabled and tried again. Same as before, memory use grows beyond the 1.1GB it used to use up to around 2.3GB, then drops down when suricata dies.

I rebooted and tried again, same results.

I disabled IPS and just ran IDS, same result, dies after a couple of minutes.
July 17, 2018, 09:02:27 PM #7
Have reinstalled suricata and downloaded again all rules. After that, the following message occurs

Jul 17 15:09:44    suricata: [100271] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kor/kapkap5.yarn"; http_uri; depth:17; isdataat:!1,relative; content:"bcxvjwqhewqe.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 19366

1st my pulse was on 200 (wtf, malware), until i saw i must be the mentionned false rule :) :)

hope this helps.
July 17, 2018, 09:06:06 PM #8
what i can confirm after disabling url haus, is that suricata started working againg. I will monitor and post, if it breaks again.
July 18, 2018, 03:28:39 PM #9
I have the same problem.

I have deactivated url.haus entirely, but this did not help.
I still get kernel: pid 5613 (suricata), uid 0: exited on signal 6 (core dumped)
I don't think that a rule is the culprit because, when I check the Intrusion detection log, I do not even see the usual message
suricata: [100137] <Notice> -- rule reload starting
All i get now is thie message and then I see the crash in the system log.
   suricata: [100180] <Notice> -- This is Suricata version 4.0.4 RELEASE

The memory usage peaks at 50% on suricata start.
Restarting the firewall did not help. I have a APU.2C4.

The problem started 3 days ago, not sure what triggered it. I never had it before 18.1.11, that I know.

Please help.
July 18, 2018, 04:13:28 PM #10
I reinstalled Suricata und downloaded the rules again. Disabled URL-Haus, this made it working for me.

The Thing is, that i never saw any Action from suricata except the start in the logs. Reinstalling fixed it for me.

Roger
July 18, 2018, 04:16:32 PM #11
Can you disable all rules for testing?
July 18, 2018, 04:17:23 PM #12 Last Edit: July 18, 2018, 04:20:04 PM by JohnnyBeee
It would seem that Pattern matcher "Hyperscan" is the culprit.
When I switch to "Aho-Corasick" Suricata starts. Performance is way lower than with Hyperscan though.

Note that the messages
suricata: [100185] <Notice> -- rule reload starting
suricata: [100185] <Notice> -- rule reload complete
still no longer show as of 18.1.11

How can I get this fixed to get Hyperscan to work again?
July 18, 2018, 05:23:29 PM #13
Quote from: mimugmail on July 18, 2018, 04:16:32 PM
Can you disable all rules for testing?

Thank you for your help.

I have deactivated all the rules and switched back to Hyperscan and Suricata still crashes.
Note that the memory usage, with all the rules discabled, still peaks at about 50% during Suricata startup, then drops to about 20%.
July 18, 2018, 05:45:17 PM #14
Quote from: ruggerio on July 18, 2018, 04:13:28 PM
I reinstalled Suricata und downloaded the rules again. Disabled URL-Haus, this made it working for me.

The Thing is, that i never saw any Action from suricata except the start in the logs. Reinstalling fixed it for me.

Roger

Thanks for your help.

Please forgive my ignorance, but  how do I reinstall Suricata?

Thanks.
Print
Go Up Pages1 2 3
User actions