Suricata 7 - Handling of empty bpf-filter in af_packet (core dump)

Portly · September 4, 2023, 10:48am

Ever since I upgraded to 7 on a Ubuntu 20.04, the service always go down. No error no where. Suricata-start is good, suricata.log nothing. journalctl has the only tip of what can be happening:

Sep 04 11:04:53 lab systemd[1]: Started LSB: Next Generation IDS/IPS.
Sep 04 11:04:53 lab systemd[1]: suricata.service: Failed to read oom_kill field of memory.events cgroup attribute: No such file or directory
Sep 04 11:04:53 lab systemd[1]: suricata.service: Child 1427 belongs to suricata.service.
Sep 04 11:05:44 lab systemd[1]: suricata.service: Failed to read oom_kill field of memory.events cgroup attribute: No such file or directory
Sep 04 11:05:44 lab systemd[1]: suricata.service: Child 1431 belongs to suricata.service.
Sep 04 11:05:44 lab systemd[1]: suricata.service: Control group is empty.
Sep 04 11:05:44 lab systemd[1]: suricata.service: Changed running -> exited

Any clue of what could be?

Portly · September 4, 2023, 12:06pm

I have another system that also has this error message but the service doesn’t stop (relating to cgroup message). It seems the bad one is control group is empty.

pevma · September 4, 2023, 12:11pm

Are there any errors in /var/log/suicata/suricata.log

Portly · September 4, 2023, 12:27pm

No error no error no where except journalctl.

Notice: suricata: Configuration provided was successfully loaded. Exiting.

Edit: when running terminal not service I get:

Segmentation fault (core dumped)

From dmesg:

[ 1868.878772] Suricata-Main[2790]: segfault at 0 ip 000055b06136774d sp 00007ffd111196f0 error 4 in suricata[55b06125a000+613000]
[ 3119.494504] Suricata-Main[3913]: segfault at 0 ip 000055fe4953774d sp 00007ffdb872a470 error 4 in suricata[55fe4942a000+613000]

Portly · September 4, 2023, 4:44pm

I found the problem when running gdb:

[New Thread 0x7ffff4847700 (LWP 5495)]
[New Thread 0x7fffeffff700 (LWP 5496)]
[New Thread 0x7fffef7fe700 (LWP 5497)]
[New Thread 0x7fffeeffd700 (LWP 5498)]
[New Thread 0x7fffee7fc700 (LWP 5499)]
[New Thread 0x7fffedffb700 (LWP 5500)]
[New Thread 0x7fffed7fa700 (LWP 5501)]
E: af-packet: enp7s0: failed to compile BPF "/usr/bin/suricata": can't parse filter expression: syntax error
E: af-packet: enp7s0: failed to init socket for interface
E: threads: thread "W#01-enp7s0" failed to start: flags 0423
[Thread 0x7fffed7fa700 (LWP 5501) exited]
[Thread 0x7fffedffb700 (LWP 5500) exited]
[Thread 0x7fffee7fc700 (LWP 5499) exited]
[Thread 0x7fffeeffd700 (LWP 5498) exited]
[Thread 0x7fffeffff700 (LWP 5496) exited]
[Thread 0x7ffff4847700 (LWP 5495) exited]
[Thread 0x7ffff6a43600 (LWP 5424) exited]

Before upgrade do 7 I had empty bpf:

af-packet:
-   cluster-id: 1
    interface: enp7s0
    threads: auto
    bpf-filter:

Never had problem. Now with 7 empty bpf makes segfault or suri won’t begin. did handle of “bpf-filter:” change?

When I add a “not host 1.1.1.1” or remove bpf-filter problem is gone!

Portly · September 7, 2023, 2:48pm

would be good having tad more info on this

ish · September 8, 2023, 3:13pm

Tracking: Bug #6302: af-packet: fails to handle null bpf-filter - Suricata - Open Information Security Foundation

Workaround as you have found is to just comment it out.

Portly · September 11, 2023, 1:44am

is it bug tho? regression?

Edit: sorry, did not see link. tank you!