Project

General

Profile

Actions
Copy link

Bug #2195

closed

hyperscan: abort() on loading very large ruleset

Added by Victor Julien over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

valgrind /usr/bin/suricata -c /etc/suricata/suricata.yaml --pfring-int=ens192 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow --pidfile /var/run/suricata.pid --set mpm-algo=hs

==2324== Memcheck, a memory error detector
==2324== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2324== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2324== Command: /usr/bin/suricata -c /etc/suricata/suricata.yaml --pfring-int=ens192 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow --pidfile /var/run/suricata.pid --set mpm-algo=hs
==2324==
Initialization syslog logging with format "[%i] <%d> -- ".
31/7/2017 -- 10:14:49 - <Notice> - This is Suricata version 4.0.0 RELEASE
suricata: util-mpm-hs.c:163: SCHSInitHashLookup: Assertion `!(SCMemcmp(t->original_pat, pat, patlen) != 0)' failed.
==2324==
==2324== Process terminating with default action of signal 6 (SIGABRT): dumping core
==2324==    at 0x875E428: raise (raise.c:54)
==2324==    by 0x8760029: abort (abort.c:89)
==2324==    by 0x8756BD6: __assert_fail_base (assert.c:92)
==2324==    by 0x8756C81: __assert_fail (assert.c:101)
==2324==    by 0x33D49A: SCHSInitHashLookup (util-mpm-hs.c:163)
==2324==    by 0x33D49A: SCHSAddPattern (util-mpm-hs.c:289)
==2324==    by 0x1ED9E5: PopulateMpmHelperAddPattern (detect-engine-mpm.c:491)
==2324==    by 0x1ED9E5: MpmStoreSetup (detect-engine-mpm.c:964)
==2324==    by 0x1EFFF6: MpmStorePrepareBufferAppLayer (detect-engine-mpm.c:1186)
==2324==    by 0x1EFFF6: PatternMatchPrepareGroup (detect-engine-mpm.c:1285)
==2324==    by 0x1F672C: PrefilterSetupRuleGroup (detect-engine-prefilter.c:381)
==2324==    by 0x1BA84C: SigAddressPrepareStage4 (detect.c:3413)
==2324==    by 0x1BADDD: SigGroupBuild (detect.c:3539)
==2324==    by 0x1BB685: SigLoadSignatures (detect.c:539)
==2324==    by 0x12B980: LoadSignatures (suricata.c:2426)
==2324==    by 0x12B980: PostConfLoadedDetectSetup (suricata.c:2557)
==2324==    by 0x12B980: main (suricata.c:2895)
==2324==

This is with a MISP generated ruleset of over 100k rules.

Actions
Copy link

Also available in: Atom PDF