Segmentation fault / Rule errors

I have been trying to implement suricata on multiple vlan’s for some time now. I’ve had a working version on just one network interface on anather machine but not in multi-tenancy mode.

Recently i tried getting it working again, I upgraded from v6 to v7.0 so i also remade the suricata.yaml (on anather machine and then copied it to this machine, will this cause problems) I put in multi tenancy and other configurations.

the error’s I am getting right now seem very random. each time I run suricata -T or suricata-update I get errors in the rules. usually a seemingly random “unknown regex modifier ‘x’” error or a pcre2 type error. sometimes it end in a “Segmentation fault”, sometimes it doesn’t. it differs per test.

I tried exclusing rules and updating them.

this is what my last error looks like:

image1698×857 87.7 KB

image771×594 12.2 KB

tenant-1.yaml example

%YAML 1.1
---

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules


vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[194.171.4.128/26]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

  port-groups:

    HTTP_PORTS: "80"

    SHELLCODE_PORTS: "!80"

    ORACLE_PORTS: 1521

    SSH_PORTS: 22

    DNP3_PORTS: 20000
                                                          

Hi!
Welcome to our forum!
From the errors that you’ve posted, I don’t think the errors are coming due to vlan settings…
Have you also updated your rules given you’ve update suricata?
Most reliable way to do that is with suricata-update that would’ve come packaged with suricata.

hey shivani, thank you for the quick reply!

I have already tried using suricata-update but it does not seem to fix this problem. could it be that my upgrade to 7.0 is causing problems? maybe some local files did not upgrade to 7.0, or my rules?

I’m more inclined to your rules not being updated however I may be wrong. Could you please run suricata-update again? Use -v option with it this time so you see which version of Suricata it finds and which version is it downloading the rule for.

We’re working on addressing multi-tenancy issues, there are several tickets:

There is also a WIP PR you might try:

It seems to find suricata 7.0.0 which should be the version i installed

chrisi@suricata:/var/lib/suricata/rules$ sudo suricata-update -v
9/8/2023 -- 13:33:13 - <Debug> -- This is suricata-update version 1.3.0 (rev: None); Python: 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0]
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value subcommand -> update
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value verbose -> True
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value version -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value show-advanced -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value force -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value url -> []
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value no-ignore -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value dump-sample-configs -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value etopen -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value no-reload -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value no-merge -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value offline -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value fail -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value now -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value disable -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value enable -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value modify -> False
9/8/2023 -- 13:33:13 - <Debug> -- Setting configuration value drop -> False
9/8/2023 -- 13:33:13 - <Debug> -- Found suricata at /usr/bin/suricata
9/8/2023 -- 13:33:13 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 13:33:13 - <Debug> -- Looking for /etc/suricata/disable.conf
9/8/2023 -- 13:33:13 - <Debug> -- Found /etc/suricata/disable.conf
9/8/2023 -- 13:33:13 - <Debug> -- Using /etc/suricata/disable.conf for disable-conf
9/8/2023 -- 13:33:13 - <Debug> -- Looking for /etc/suricata/enable.conf
9/8/2023 -- 13:33:13 - <Debug> -- Looking for /etc/suricata/drop.conf
9/8/2023 -- 13:33:13 - <Debug> -- Looking for /etc/suricata/modify.conf
9/8/2023 -- 13:33:13 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 13:33:13 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 13:33:13 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
9/8/2023 -- 13:33:13 - <Info> -- Loading /etc/suricata/disable.conf.
9/8/2023 -- 13:33:13 - <Info> -- Loading /etc/suricata/suricata.yaml
9/8/2023 -- 13:33:13 - <Info> -- Disabling rules for protocol pgsql
9/8/2023 -- 13:33:13 - <Info> -- Disabling rules for protocol modbus
9/8/2023 -- 13:33:13 - <Info> -- Disabling rules for protocol dnp3
9/8/2023 -- 13:33:13 - <Info> -- Disabling rules for protocol enip
9/8/2023 -- 13:33:13 - <Info> -- No sources configured, will use Emerging Threats Open
9/8/2023 -- 13:33:13 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-7.0.0/emerging.rules.tar.gz.
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
9/8/2023 -- 13:33:13 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
9/8/2023 -- 13:33:13 - <Debug> -- Parsing /usr/share/suricata/rules/app-layer-events.rules
9/8/2023 -- 13:33:13 - <Debug> -- Parsing /usr/share/suricata/rules/decoder-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/dhcp-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/dnp3-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/dns-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/files.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/http-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/ipsec-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/kerberos-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/modbus-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/nfs-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/ntp-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/smb-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/smtp-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/stream-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing /usr/share/suricata/rules/tls-events.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/3coresec.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/botcc.portgrouped.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/botcc.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/ciarmy.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/compromised.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/drop.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/dshield.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/emerging-activex.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/emerging-adware_pup.rules
9/8/2023 -- 13:33:14 - <Debug> -- Parsing rules/emerging-attack_response.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-chat.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-coinminer.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-current_events.rules
9/8/2023 -- 13:33:15 - <Info> -- Ignoring file rules/emerging-deleted.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-dns.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-dos.rules
9/8/2023 -- 13:33:15 - <Debug> -- Parsing rules/emerging-exploit.rules
9/8/2023 -- 13:33:16 - <Debug> -- Parsing rules/emerging-exploit_kit.rules
9/8/2023 -- 13:33:16 - <Debug> -- Parsing rules/emerging-ftp.rules
9/8/2023 -- 13:33:16 - <Debug> -- Parsing rules/emerging-games.rules
9/8/2023 -- 13:33:16 - <Debug> -- Parsing rules/emerging-hunting.rules
9/8/2023 -- 13:33:17 - <Debug> -- Parsing rules/emerging-icmp.rules
9/8/2023 -- 13:33:17 - <Debug> -- Parsing rules/emerging-icmp_info.rules
9/8/2023 -- 13:33:17 - <Debug> -- Parsing rules/emerging-imap.rules
9/8/2023 -- 13:33:17 - <Debug> -- Parsing rules/emerging-inappropriate.rules
9/8/2023 -- 13:33:17 - <Debug> -- Parsing rules/emerging-info.rules
9/8/2023 -- 13:33:19 - <Debug> -- Parsing rules/emerging-ja3.rules
9/8/2023 -- 13:33:19 - <Debug> -- Parsing rules/emerging-malware.rules
9/8/2023 -- 13:33:25 - <Debug> -- Parsing rules/emerging-misc.rules
9/8/2023 -- 13:33:25 - <Debug> -- Parsing rules/emerging-mobile_malware.rules
9/8/2023 -- 13:33:25 - <Debug> -- Parsing rules/emerging-netbios.rules
9/8/2023 -- 13:33:25 - <Debug> -- Parsing rules/emerging-p2p.rules
9/8/2023 -- 13:33:25 - <Debug> -- Parsing rules/emerging-phishing.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-policy.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-pop3.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-rpc.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-scada.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-scan.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-shellcode.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-smtp.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-snmp.rules
9/8/2023 -- 13:33:27 - <Debug> -- Parsing rules/emerging-sql.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-telnet.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-tftp.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-user_agents.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-voip.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-web_client.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-web_server.rules
9/8/2023 -- 13:33:28 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules
9/8/2023 -- 13:33:31 - <Debug> -- Parsing rules/emerging-worm.rules
9/8/2023 -- 13:33:31 - <Debug> -- Parsing rules/threatview_CS_c2.rules
9/8/2023 -- 13:33:31 - <Debug> -- Parsing rules/tor.rules
9/8/2023 -- 13:33:33 - <Info> -- Loaded 43880 rules.
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2270000] SURICATA DNP3 Request flood detected
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2270001] SURICATA DNP3 Length too small
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2270002] SURICATA DNP3 Bad link CRC
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2270003] SURICATA DNP3 Bad transport CRC
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2270004] SURICATA DNP3 Unknown object
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250001] SURICATA Modbus invalid Protocol version
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250002] SURICATA Modbus unsolicited response
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250003] SURICATA Modbus invalid Length
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250004] SURICATA Modbus invalid Unit Identifier
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250005] SURICATA Modbus invalid Function code
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250006] SURICATA Modbus invalid Value
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250007] SURICATA Modbus Exception code invalid
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250008] SURICATA Modbus Data mismatch
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2250009] SURICATA Modbus Request flood detected
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2037314] ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2037335] ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2037344] ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
9/8/2023 -- 13:33:33 - <Debug> -- Disabling: [1:2037346] ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
9/8/2023 -- 13:33:36 - <Debug> -- Disabling: [1:2020369] ET MALWARE Common Upatre URI/Headers Struct
9/8/2023 -- 13:33:41 - <Info> -- Disabled 19 rules.
9/8/2023 -- 13:33:41 - <Info> -- Enabled 0 rules.
9/8/2023 -- 13:33:41 - <Info> -- Modified 0 rules.
9/8/2023 -- 13:33:41 - <Info> -- Dropped 0 rules.
9/8/2023 -- 13:33:41 - <Debug> -- Checking flowbits for pass 1 of rules.
9/8/2023 -- 13:33:41 - <Debug> -- Found 270 required flowbits.
9/8/2023 -- 13:33:42 - <Debug> -- Found 131 rules to enable for flowbit requirements (pass 1)
9/8/2023 -- 13:33:42 - <Debug> -- Checking flowbits for pass 2 of rules.
9/8/2023 -- 13:33:42 - <Debug> -- Found 271 required flowbits.
9/8/2023 -- 13:33:43 - <Debug> -- Found 0 rules to enable for flowbit requirements (pass 2)
9/8/2023 -- 13:33:43 - <Debug> -- All required rules enabled.
9/8/2023 -- 13:33:43 - <Info> -- Enabled 131 rules for flowbit dependencies.
9/8/2023 -- 13:33:43 - <Info> -- Backing up current rules.
9/8/2023 -- 13:33:43 - <Debug> -- Recording existing file /var/lib/suricata/rules/suricata.rules with hash 'a3a269b46a33f11d78cf4c12c2fb4f3a'.
9/8/2023 -- 13:34:06 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 43880; enabled: 34714; added: 0; removed 0; modified: 0
9/8/2023 -- 13:34:08 - <Debug> -- Loading /etc/suricata/classification.config
9/8/2023 -- 13:34:08 - <Debug> -- Loading rules/classification.config
9/8/2023 -- 13:34:08 - <Info> -- Writing /var/lib/suricata/rules/classification.config
9/8/2023 -- 13:34:08 - <Info> -- No changes detected, exiting.

thank you victor, I look forward to it.

EDIT: does this mean that when I run a single tenant i might not get this problem?

There are a bunch of different problems currently, so not sure what does work. Right now I just consider multi tenancy to be complete broken in 7.0.0. Working on fixing it, see the github pull request. It currently “works for me”. I have a simple setup with a few tenants each mapped to a device (em3, tun0, tun1, etc).

alright victor, thank you for the help. I will wait for the fix then.

EDIT: seems like a single tenant doesn’t give any errors for me now

i: suricata: Configuration provided was successfully loaded. Exiting.

oops. Sorry for putting you on the wrong track, Chris. Should have checked the tickets first.
Glad Victor stepped in. Thank you for asking and accepting solution. This would help others too.

Im currently using the 7.0.1-dev version from github without any problems with multi-tenancy on multiple vlan’s

That’s good to hear. The issues @vjulien identified have been resolved for 7.0.x