Hi,
I installed Debian Buster in a minimal installation (no services apart from OpenSSH and standard system tools). I installed Suricata 5.0.3 via backports-buster. I made only minimal changes to the config including HOME_NET, adjusting paths from /var/run to /var/run/suricata (pid and socket file) and setting user and group to suricata:suricata. For testing I started the daemon like that:
suricata -q0 -vv -c /etc/suricata/suricata.yaml
In nftables I use the queue command to jump into suricata.
With the above command, the daemon is starting fine. I processes all rules. Once it has started, I run:
suricatasc -c shutdown /var/run/suricata/suricata.sock
The tool comes back telling me the shutdown was successful. The daemon crashes with segfault. The last line I see is Cleaning up signature grouping structure... complete.
My questions are:
- Is this a known issue with 5.0.3? I could not find anything in the changelog on GitHub.
- What Linux distribution do you recommend for suricata?
Thanks a lot for your work on suricata!
Edit: I’ve just setup version 4 (no backport). That one does not crash. I can see, that the crash is propably related to Hyperscan, because I see two additional lines now, which I don’t see when the daemon crashes. Both are related to Hyperscan cleaning up.
Edit 2: I played with --set mpm-algo=ac and hs. For both I see the seg fault. So propably not Hyperscan related.
Edit 3: Reinstalled 5.0.3. This time the only configuration change was to adjust default-rule-path to the right directory and updating rules, then starting suricata as mentioned above. The same behaviour occurs. So this should not be a configuration issue.
Edit 4: The crash happens in BpfMapsInfoFree in util-ebpf.c line 84.
Starting program: /usr/bin/suricata -vv -q0 -c /etc/suricata/suricata.yaml
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff312b700 (LWP 4859)]
[New Thread 0x7ffff292a700 (LWP 4860)]
[New Thread 0x7ffff2129700 (LWP 4861)]
[New Thread 0x7ffff1928700 (LWP 4862)]
[New Thread 0x7ffff1127700 (LWP 4863)]
[New Thread 0x7ffff0926700 (LWP 4864)]
[New Thread 0x7fffdbfff700 (LWP 4865)]
[New Thread 0x7fffdb7fe700 (LWP 4866)]
[New Thread 0x7fffdaffd700 (LWP 4867)]
[New Thread 0x7fffda7fc700 (LWP 4868)]
[New Thread 0x7fffd9ffb700 (LWP 4869)]
[Thread 0x7fffdbfff700 (LWP 4865) exited]
[Thread 0x7fffdb7fe700 (LWP 4866) exited]
[Thread 0x7fffdaffd700 (LWP 4867) exited]
[Thread 0x7fffda7fc700 (LWP 4868) exited]
[Thread 0x7ffff312b700 (LWP 4859) exited]
[Thread 0x7ffff292a700 (LWP 4860) exited]
[Thread 0x7ffff2129700 (LWP 4861) exited]
[Thread 0x7ffff1928700 (LWP 4862) exited]
[Thread 0x7ffff1127700 (LWP 4863) exited]
[Thread 0x7ffff0926700 (LWP 4864) exited]
[Thread 0x7fffd9ffb700 (LWP 4869) exited]
Thread 1 "Suricata-Main" received signal SIGSEGV, Segmentation fault.
0x0000555555773cd4 in BpfMapsInfoFree (bpf=0x231) at util-ebpf.c:84
84 in util-ebpf.c
#0 0x0000555555773cd4 in BpfMapsInfoFree (bpf=0x231) at util-ebpf.c:84
#1 0x00005555557c7a1e in StorageFreeAll (storage=storage@entry=0x555555b3ecb8, type=type@entry=STORAGE_DEVICE)
at util-storage.c:327
#2 0x00005555556a5a27 in LiveDevFreeStorage (d=d@entry=0x555555b3ec60) at device-storage.c:108
#3 0x000055555577317d in LiveDeviceListClean () at util-device.c:370
#4 0x000055555557c8e7 in GlobalsDestroy (suri=0x555555b08000 <suricata>, suri=0x555555b08000 <suricata>)
at suricata.c:380
#5 main (argc=<optimized out>, argv=<optimized out>) at suricata.c:3113