Project

General

Profile

Actions

Bug #1637

closed

drop log crashes

Added by Hayder Sinan about 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have a Suricata running on version 2.0.10 on Centos7 we have an issue that the Suricata service fails when it receives a small udp packet size or a large one please find below logs when the issue happens

the following logs are taken when it received a large udp Packet Size

[root@ips01 suricata]# tail /var/log/messages
Dec  8 14:23:59 ips01 iptables.init: iptables: Setting chains to policy ACCEPT: mangle filter [  OK  ]
Dec  8 14:23:59 ips01 iptables.init: iptables: Flushing firewall rules: [  OK  ]
Dec  8 14:23:59 ips01 iptables.init: iptables: Unloading modules: [  OK  ]
Dec  8 14:23:59 ips01 systemd: Starting IPv4 firewall with iptables...
Dec  8 14:23:59 ips01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec  8 14:23:59 ips01 iptables.init: iptables: Applying firewall rules: [  OK  ]
Dec  8 14:23:59 ips01 systemd: Started IPv4 firewall with iptables.
Dec  8 14:24:09 ips01 kernel: Detect1[26508]: segfault at 4 ip 00000000004c7fcc sp 00007f4fac0a0470 error 4 in suricata[400000+1c6000]
Dec  8 14:24:09 ips01 systemd: suricata.service: main process exited, code=killed, status=11/SEGV
Dec  8 14:24:09 ips01 systemd: Unit suricata.service entered failed state.
[root@ips01 ~]# tailf /usr/local/var/log/suricata/fast.log
12/08/2015-14:24:07.437108  [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370
12/08/2015-14:24:07.438062  [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370
12/08/2015-14:24:07.441106  [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.236.200.100:53 -> 194.18.169.45:26370
12/08/2015-14:24:07.871481  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60723 -> 87.98.175.85:53
12/08/2015-14:24:08.235181  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:63715 -> 106.186.17.181:53
12/08/2015-14:24:08.344190  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:63328 -> 95.211.195.245:53
12/08/2015-14:24:08.466187  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:57532 -> 192.121.170.170:53
12/08/2015-14:24:08.653227  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60581 -> 151.236.6.6:53
12/08/2015-14:24:08.887174  [Drop] [**] [1:2017645:2] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.62.144:60723 -> 87.98.175.85:53
12/08/2015-14:24:09.075701  [Drop] [**] [1:521:2] MISC Large UDP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 37.239.196.31:53 -> 85.195.64.11:27710

if we disable the Sid #521 or sid #2200038 the issue is solved and the service doesn't fail can you please help?

the rules are 
drop pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; sid:2200038; rev:1;)

drop udp any any -> any any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;)

Files

gdb-Core-12720.txt (3.83 KB) gdb-Core-12720.txt Hayder Sinan, 12/09/2015 04:27 AM
gdb-Core-26557.txt (1.75 KB) gdb-Core-26557.txt Hayder Sinan, 12/09/2015 04:27 AM
IPS.txt (2.57 KB) IPS.txt suricata --build-info Hayder Sinan, 12/09/2015 04:29 AM
Actions

Also available in: Atom PDF