Hi, I am currently running Suricata version “7.0.0-beta1 RELEASE” in AF_Packet IPS mode.
i have modified few params in yaml file for which 3gig traffic works fine, where as when increased traffic rate 3.5 gig it causes segmentation fault.
[490503.484689] W#03-enp1s0f1[91347]: segfault at 28 ip 0000558940f873e3 sp 00007fcd309ccd40 error 4 in suricata[558940e4a000+5b9000]
[490503.484728] Code: ff ff ff 00 00 4c 0f 45 60 18 4d 21 e5 4d 85 e4 0f 88 01 05 00 00 8b 4c 24 6c 8b 74 24 54 48 89 da 8b 7c 24 68 e8 cd 6f f0 ff <48> 8b 55 28 48 85 d2 0f 84 70 0b 00 00 48 03 94 24 98 00 00 00 48
System has 16 cores out of which 4/8Threads dedicated to suricata
yaml config:
af-packet:
- interface: enp1s0f0
threads: 4
cluster-id: 99
cluster-type: cluster_qm
defrag: no
use-mmap: yes
mmap-locked: yes
ring-size: 100000
copy-mode: ips
copy-iface: enp1s0f1 - interface: enp1s0f1
threads: 4
cluster-type: cluster_qm
cluster-id: 98
defrag: no
use-mmap: yes
mmap-locked: yes
ring-size: 100000
copy-mode: ips
copy-iface: enp1s0f0
max-pending-packets: 32768
runmode: workers
flow:
memcap: 4gb
hash-size: 256072
prealloc: 300000
emergency-recovery: 30
stream:
memcap: 12gb
checksum-validation: no
prealloc-sessions: 375000
inline: auto
bypass: yes
reassembly:
memcap: 14gb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
segment-prealloc: 200000
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- receive-cpu-set:
cpu: [ “2”,“4”,“6”,“8”,“10”,“12”,“14” ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ “2-9” ] # include only these CPUs in affinity settings
mode: “exclusive”
# Use explicitly 3 threads and don’t compute number by using
# detect-thread-ratio variable:
#threads: 8
prio:
#low: [ 0 ]
#medium: [ “1-2” ]
#high: [ 3 ]
#default: “medium”
default: “high”
please let me know how to get coredump and reason for coredump