18.1.12 suricata crash

[crt333]

After the latest update suricata is crashing. The dashboard shows that the memory use grows up to about double what it used in 18.1.11 and then it dies. The log shows:

Jul 15 16:23:42   kernel: pid 532 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 16:20:19   kernel: -> pid: 300 ppid: 97610 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 15 16:20:19   kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (300)] Suspension expired.

hardware is a quotom q355g4, using openssl.

restarting it the memory slowly increases and then it crashes again.

[johan]

I see this too, exact same behavior. Other hardware though, Supermicro x10sba J1900.

[mimugmail]

Do you have all rules enabled? Also the app-detect rules?

Can you give us some logs from suricata.log

[crt333]

All abuse and ET Open rules enabled.

OPNsense-App-detect/test enabled, other App-detect disabled.

I'd be happy to give you the log file, but don't know how to get it. Can it be accessed from the GUI?

[GOCE]

Same here on both HA firewalls after update to 18.1.12.

[mimugmail]

Do you have URL haus from abuse enabled? There are two rule errors. Please disable for testing.

[crt333]

URL haus from abuse was enabled, so I disabled and tried again. Same as before, memory use grows beyond the 1.1GB it used to use up to around 2.3GB, then drops down when suricata dies.

I rebooted and tried again, same results.

I disabled IPS and just ran IDS, same result, dies after a couple of minutes.

[ruggerio]

Have reinstalled suricata and downloaded again all rules. After that, the following message occurs

Jul 17 15:09:44    suricata: [100271] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kor/kapkap5.yarn"; http_uri; depth:17; isdataat:!1,relative; content:"bcxvjwqhewqe.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 19366

1st my pulse was on 200 (wtf, malware), until i saw i must be the mentionned false rule

hope this helps.

[ruggerio]

what i can confirm after disabling url haus, is that suricata started working againg. I will monitor and post, if it breaks again.

[JohnnyBeee]

I have the same problem.

I have deactivated url.haus entirely, but this did not help.
I still get kernel: pid 5613 (suricata), uid 0: exited on signal 6 (core dumped)
I don't think that a rule is the culprit because, when I check the Intrusion detection log, I do not even see the usual message
suricata: [100137] <Notice> -- rule reload starting
All i get now is thie message and then I see the crash in the system log.
    suricata: [100180] <Notice> -- This is Suricata version 4.0.4 RELEASE

The memory usage peaks at 50% on suricata start.
Restarting the firewall did not help. I have a APU.2C4.

The problem started 3 days ago, not sure what triggered it. I never had it before 18.1.11, that I know.

Please help.

[ruggerio]

I reinstalled Suricata und downloaded the rules again. Disabled URL-Haus, this made it working for me.

The Thing is, that i never saw any Action from suricata except the start in the logs. Reinstalling fixed it for me.

Roger

[mimugmail]

Can you disable all rules for testing?

[JohnnyBeee]

It would seem that Pattern matcher "Hyperscan" is the culprit.
When I switch to "Aho-Corasick" Suricata starts. Performance is way lower than with Hyperscan though.

Note that the messages
suricata: [100185] <Notice> -- rule reload starting
suricata: [100185] <Notice> -- rule reload complete
still no longer show as of 18.1.11

How can I get this fixed to get Hyperscan to work again?

[JohnnyBeee]

Can you disable all rules for testing?

Thank you for your help.

I have deactivated all the rules and switched back to Hyperscan and Suricata still crashes.
Note that the memory usage, with all the rules discabled, still peaks at about 50% during Suricata startup, then drops to about 20%.

[JohnnyBeee]

I reinstalled Suricata und downloaded the rules again. Disabled URL-Haus, this made it working for me.

The Thing is, that i never saw any Action from suricata except the start in the logs. Reinstalling fixed it for me.

Roger

Thanks for your help.

Please forgive my ignorance, but  how do I reinstall Suricata?

Thanks.