- Suricata 7.0.6
- Ubuntu 18.04
- Instaled from packages
Sometimes i get this error:
suricata kernel: [481742.832871] W#01-enp3s0f0[4175]: segfault at 7f2c98faf000 ip 00007f305243e623 sp 00007f3003b42158 error 6 in libc-2.27.so[7f3052383000+1e7000]
Suricata.log does not provide any useful information about this and Suricata remains in “Exited” state until a restart is done to the service.
What can be causing this issue?
Thanks
Can you please post the suricata --build-info because we had such a segfault but that was fixed in 7.0.6 AFAIK.
Can you reproduce it? In that case generating a coredump might be helpful to trace it down or run it within gdb
suricata --build-info
This is Suricata version 7.0.6 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
JA3 support: yes
JA4 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.65.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.65.0
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/build/suricata-7acQVQ/suricata-7.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
I can try to reproduce it, not sure how tho…
I think i already have a coredump of this. How can i send it to you?
compress it and add it here, unless it’s too big
I’ve met the same problem. It’s hard to reproduce stably. The core dump is useless cuz it crashed in glibc which without symbols,more worse is that the stack was occupied, so can’t see the call stack trace with bt command. and once replace glibc with glibc with symbols, crash never happend again. I’ve tried glibc with symbols, glibc debug version, google tcmalloc debug version , suricata asan version.All failed to reproduce.