Hello,
I’m currently experiencing a problem with suricata 6.0.4 and suricata 6.0.5 both built from source.
While playing this pcap ( BigFlows Pcap ), suricata will core.
Environment:
Linux Debian 11
Configuration of build:
./configure --enable-pie --disable-gccmarch-native --enable-gccprotect --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr --prefix=/usr --sysconfdir=/etc --localstatedir=/var
After analyzing the core, this is what I found:
gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x00005555556e874b in CloseFile (file=<optimized out>, file=<optimized out>,
f=<optimized out>, f=<optimized out>, p=<optimized out>) at output-filedata.c:137
#2 0x00005555556e89f2 in OutputFiledataLogFfc (tv=tv@entry=0x555556adf000,
td=td@entry=0x7fffc10d5ff0, p=p@entry=0x7fffede84200, ffc=<optimized out>,
call_flags=8 '\b', file_close=<optimized out>, file_trunc=false, dir=8 '\b')
at output-filedata.c:218
#3 0x00005555556e8af7 in OutputFiledataLog (tv=0x555556adf000, p=0x7fffede84200,
thread_data=0x7fffc10d5ff0) at output-filedata.c:253
#4 0x00005555556e7bb4 in OutputLoggerLog (tv=tv@entry=0x555556adf000,
p=p@entry=0x7fffede84200, thread_data=<optimized out>) at output.c:882
#5 0x00005555556dc478 in FlowWorker (tv=0x555556adf000, p=0x7fffede84200, data=0x7fffcffffab0)
at flow-worker.c:563
#6 0x00005555557282a2 in TmThreadsSlotVarRun (tv=tv@entry=0x555556adf000,
p=p@entry=0x7fffede84200, slot=slot@entry=0x555556adf130) at tm-threads.c:117
#7 0x0000555555729e55 in TmThreadsSlotVar (td=0x555556adf000) at tm-threads.c:463
#8 0x00007ffff7d7cfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#9 0x00007ffff7789eff in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
gdb) frame 1
#1 0x00005555556e874b in CloseFile (file=<optimized out>, file=<optimized out>,
f=<optimized out>, f=<optimized out>, p=<optimized out>) at output-filedata.c:137
137 void *txv = AppLayerParserGetTx(p->proto, f->alproto, f->alstate, file->txid);
I’m using file-store configured like this:
- file-store:
version: 2
enabled: yes
force-filestore: yes
I have reproduced it while playing using:
suricata -c /etc/suricata/conf/suricata.yaml -r bigFlows.pcap --runmode autofp
and while playing the pcap through tirex and suricata run with:
suricata --af-packet -c /etc/suricata/conf/suricata.yaml --user=<UID> -D
With the following rule (a bit greedy I admit)
alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
If I disable file-store, I don’t core.
I’m going to continue investigating with valgrind/helgrind to provide further analysis.