Suricata error exit in docker

Help
1
  • Suricata 6.0.12 in docker
  • Host: Linux 192-168-1-129 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • docker: alpine:edge
  • suricata in docker

The suricata container is running and constantly restarts itself(suricata 容器不断地自行重启). I found the logs by doing grep -i “suricata” /var/log/messages(我通过执行:grep -i “suricata” /var/log/messages,发现了下面这些日志),How should I solve this problem(我应该怎么解决这个问题)

Oct 30 03:50:53 192-168-1-129 kernel: W#04-eth0[9853]: segfault at 7ff542d3a7c8 ip 000056420dcda3ae sp 00007ff542d3a7d0 error 6 in suricata[56420dc31000+2e6000]
Oct 30 11:24:39 192-168-1-129 kernel: W#07-eth0[27281]: segfault at 7fa59f63cc48 ip 000055ff2221b3ae sp 00007fa59f63cc50 error 6 in suricata[55ff22172000+2e6000]
Oct 30 16:25:03 192-168-1-129 kernel: W#06-eth0[22722]: segfault at 7f9e5095aee8 ip 0000555d7f58937d sp 00007f9e5095aef0 error 6 in suricata[555d7f454000+2e6000]
Oct 30 16:52:13 192-168-1-129 kernel: W#01-eth0[31148]: segfault at 7f1272ca6c58 ip 00005652fd98b3ae sp 00007f1272ca6c60 error 6 in suricata[5652fd8e2000+2e6000]
Oct 31 10:47:49 192-168-1-129 kernel: W#05-eth0[26829]: segfault at 7f6f99c88bd8 ip 000055fe533213ae sp 00007f6f99c88be0 error 6 in suricata[55fe53278000+2e6000]
Oct 31 11:37:23 192-168-1-129 kernel: W#03-eth0[27982]: segfault at 7f43c96a4bd8 ip 00005594a42bd3ae sp 00007f43c96a4be0 error 6 in suricata[5594a4214000+2e6000]
Nov 1 10:15:05 192-168-1-129 kernel: W#06-eth0[29508]: segfault at 7fca55919bd8 ip 000055c457fc63ae sp 00007fca55919be0 error 6 in suricata[55c457f1d000+2e6000]

2

I’d first recommend upgrading to Suricata 6.0.15 to be on our latest release.

If problems persist, please also provide the output of suricata --build-info.

Otherwise there is not a whole of details here to help much.

3

The docker image I use (我使用的docker镜像):dtagdevsec/suricata:2204

This is my configuration information ( 这是我的配置信息):suricata.yaml (71.0 KB)

The load when running the machine(运行容器宿主机的负载)

image
image1296×200 43.2 KB

This is the result of running build_info in the docker container(这是我在docker容器里面执行的结果)

This is Suricata version 6.0.12 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.1 20220924, C version 201112
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.43, linked against LibHTP v0.5.43

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            yes
  XDP support:                             yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           yes
  IPFW support:                            no
  Netmap support:                          no  using new api: no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         yes
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.69.0 (84c898d65 2023-04-16) (Alpine Linux)
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.69.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-alpine-linux-musl
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -Os -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
4

This container seems to work fine for me. You could try running it with --privileged, not something I recommend for production, but it might allow it to work if it’s a resource issue inside the container.

Alternatively, try my container, jasonish/suricata:6.0 and see if that works for you.