suricata Kernel crashes since update

Started by ruggerio, July 16, 2018, 07:11:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 16, 2018, 07:11:36 AM Last Edit: July 16, 2018, 07:16:25 AM by ruggerio
Hi,

Since update to RC1, Suricata crashes few minutes after restart.

Logs show Kernel crash. Suricata-Log just show up the start of itself

System-Log:

Jul 15 12:21:08
kernel: [HBSD SEGVGUARD] [suricata (70918)] Suspension expired.
Jul 15 12:21:08
kernel: pid 70918 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:17:20
kernel: [HBSD SEGVGUARD] [suricata (94460)] Suspension expired.
Jul 15 12:17:20
kernel: pid 94460 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:13:23
kernel: pid 20596 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 12:09:30
kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (20591)] Suspension expired.
Jul 15 11:52:43
kernel: pid 11110 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 11:48:33
kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (10899)] Suspension expired.
Jul 15 02:05:40
kernel: pid 96244 (suricata), uid 0: exited on signal 6 (core dumped)

Found more information:


kernel: -> pid: 70918 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 15 12:17:20
kernel: -> pid: 94460 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>

any hint? or a bug?

Thx,
Roger
July 16, 2018, 11:33:29 PM #1
I reported the same thing on the 18.1.12 update.
July 19, 2018, 12:05:55 AM #2
The timing with 18.1.12 or 18.7-RC1 should be purely coincidental as Suricata hasn't been touched in a long time in 18.1 and has no changes in 18.7 either. Tomorrows 18.7-RC2 will, however, ship today's security release of Suricata 4.0.5 which has several CVEs that could be part of the crashes seen in the wild.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
July 19, 2018, 12:15:01 PM #3
Quote from: crt333 on July 16, 2018, 11:33:29 PM
I reported the same thing on the 18.1.12 update.

I had the same after updating to 18.1.12 and found changing Pattern matcher to Aho-Corasick solved the problem.
July 19, 2018, 05:36:32 PM #4
In light of people reporting the same problems and 4.0.5 not helping but not using Hyperscan does it's a rule pattern causing this, probably ultimately exposing a Hyperscan bug.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
January 01, 2019, 06:32:02 PM #5 Last Edit: January 01, 2019, 06:48:11 PM by codera
Using OPNsense 18.7.9-amd64 and i can confirm, that the same bug still exists with Hyperscan.

As i can see, that even the latest version is using still suricata 4.0.6 version, but the latest stable is    4.1.2.
Are there any plans on upgrade?

EDIT: as found from here, fix is to disable "abuse.ch/URLhaus" rule:

https://forum.opnsense.org/index.php?topic=9164.30

EDIT: fix was temporarly, still Surricata crashes:
(suricata), uid 0: exited on signal 6 (core dumped)
January 01, 2019, 07:12:04 PM #6
Can you check via CLI if the rule file is still in rules folder?
Print
Go Up Pages1
User actions