Suricata crashing on OpenBSD

Dear all,

I am having troubles with Suricata (6.0.2) on OpenBSD (6.9 and 7.0). The service keeps crashing and I do not get any leads from the logs. It is most likely a configuration issue on my end or a problem with my OpenBSD setup (using a link aggregation / trunk interface).

Please find my configuration file here:

If I start Suricata with the same configuration file on a virtual machine (with a simple “untagged” VirtIO network interface) the Suricata process doesn’t crash. I should note that the virtual machine barely sees any traffic.

I tried enabling the debug log level, but I don’t seem to get more logs:

logging:
  default-log-level: debug

<...>

  outputs:
  - console:
      enabled: yes
      # type: json
  - file:
      enabled: yes
      level: debug
      filename: suricata.log
      # type: json
  - syslog:
      enabled: yes
      facility: local5
      format: "[%i] <%d> -- "
      # type: json

Any hints are appreciated.

Thank you,
mayak

Perhaps you can try running suricata in gdb and share a back trace of the crash.

Also, can you share what type of interface this is?

pcap:
  - interface: aggr0

Thank you very much for your help. The aggr0 interface is a “trunk/bond” between two interfaces:

$ cat /etc/hostname.aggr0

trunkport em1 trunkport em2 lacpmode active lacptimeout slow

Those are Intel i211AT interfaces on an PC Engines APU4.

I will try to create a core dump / trace either today or tomorrow. Thanks.