Hi I found that setting the max-files of pcap-log in the Suricata.yaml configuration file to 1 has a chance of causing the suricata main process to crash. Related information is as follows:
-
pcap-log:
enabled: yes
filename: alert.pcap# File size limit. Can be specified in kb, mb, gb. Just a number # is parsed as bytes. limit: 100gb # If set to a value, ring buffer mode is enabled. Will keep maximum of # "max-files" of size "limit" max-files: 1 # Compression algorithm for pcap files. Possible values: none, lz4. # Enabling compression is incompatible with the sguil mode. Note also # that on Windows, enabling compression will *increase* disk I/O. compression: none # Further options for lz4 compression. The compression level can be set # to a value between 0 and 16, where higher values result in higher # compression. #lz4-checksum: no #lz4-level: 0 mode: sguil # normal, multi or sguil. # Directory to place pcap files. If not provided the default log # directory will be used. Required for "sguil" mode. dir: /home/pcap-log #ts-format: :usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. conditional: alerts
ame_size=1616 frame_nr=100440 (mem: 162529280)
Sep 10 23:59:18 Network-Security-Event-Validation-System suricata: [1572] Perf: af-packet: em4: setting socket buffer to 2147483647
Sep 10 23:59:18 Network-Security-Event-Validation-System suricata: [1572] Perf: af-packet: em4: rx ring params: block_size=1048576 block_nr=155 fr
ame_size=1616 frame_nr=100440 (mem: 162529280)
Sep 10 23:59:18 Network-Security-Event-Validation-System suricata: [1574] Perf: af-packet: em4: setting socket buffer to 2147483647
Sep 10 23:59:18 Network-Security-Event-Validation-System suricata: [1574] Perf: af-packet: em4: rx ring params: block_size=1048576 block_nr=155 fr
ame_size=1616 frame_nr=100440 (mem: 162529280)
Sep 10 23:59:18 Network-Security-Event-Validation-System suricata: [1545] Notice: threads: Threads created → W: 12 FM: 1 FR: 1 Engine started.
Sep 11 00:00:01 Network-Security-Event-Validation-System systemd: Created slice User Slice of root.
Sep 11 00:00:01 Network-Security-Event-Validation-System systemd: Started Session 5569 of user root.
Sep 11 00:00:01 Network-Security-Event-Validation-System systemd: Started Session 5568 of user root.
Sep 11 00:00:01 Network-Security-Event-Validation-System systemd: Removed slice User Slice of root.
Sep 11 00:00:09 Network-Security-Event-Validation-System kernel: W#03-em4[1570]: segfault at 8 ip 0000000000682e3a sp 00007f1cbb8390e0 error 4 in
suricata[400000+995000]
Sep 11 00:00:33 Network-Security-Event-Validation-System kernel: device em2 left promiscuous mode
Sep 11 00:00:33 Network-Security-Event-Validation-System kernel: device em4 left promiscuous mode
Sep 11 00:00:33 Network-Security-Event-Validation-System systemd: suricata.service: main process exited, code=killed, status=11/SEGV
Sep 11 00:00:33 Network-Security-Event-Validation-System systemd: Unit suricata.service entered failed state.
Sep 11 00:00:33 Network-Security-Event-Validation-System systemd: suricata.service failed.
[root@Network-Security-Event-Validation-System ~]# gdb /home/Suricata/bin/suricata /core.1545
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-120.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “x86_64-redhat-linux-gnu”.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/…
Reading symbols from /home/Suricata/bin/suricata…done.
warning: core file may not match specified executable file.
[New LWP 1570]
[New LWP 1575]
[New LWP 1564]
[New LWP 1577]
[New LWP 1545]
[New LWP 1576]
[New LWP 1578]
[New LWP 1567]
[New LWP 1579]
[New LWP 1572]
[New LWP 1559]
[New LWP 1566]
ew LWP 1569]
[New LWP 1561]
[New LWP 1560]
[New LWP 1571]
[New LWP 1574]
[New LWP 1568]
[Thread debugging using libthread_db enabled]
Using host libthread_db library “/lib64/libthread_db.so.1”.
Core was generated by `/home/Suricata/bin/suricata --af-packet -vv’.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000682e3a in PcapLogRotateFile (pl=pl@entry=0x27492160, t=) at log-pcap.c:375
375 log-pcap.c: 没有那个文件或目录.
Missing separate debuginfos, use: debuginfo-install elfutils-libelf-0.176-5.el7.x86_64 file-libs-5.11-37.el7.x86_64 glibc-2.17-326.el7_9.x86_64 jansson-2.10-1.el7.x86_64 libcap-ng-0.7.5-4.el7.x86_64 libgcc-4.8.5-44.el7.x86_64 libnet-1.1.6-7.el7.x86_64 libpcap-1.5.3-12.el7.x86_64 libyaml-0.1.4-11.el7_0.x86_64 lz4-1.8.3-1.el7.x86_64 pcre2-10.23-2.el7.x86_64 zlib-1.2.7-21.el7_9.x86_64
