Actions
Bug #3353
openxdp_filter segmentation fault util-ebpf.c:728
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi
I followed https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html to run suricata with xdp_filter, it appears when there are existing flows in map flow_table_v4, starting suricata would result segmenation fault.
# bpftool map list id 9 9: percpu_hash name flow_table_v4 flags 0x0 key 16B value 16B max_entries 32768 memlock 19660800B # bpftool map dump id 9 | tail -36 key: 0a 08 08 09 0a 08 08 08 14 51 93 7a 01 00 00 00 value (CPU 00): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 01): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 02): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 03): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 04): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 05): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 06): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 07): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 08): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 09): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 10): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 11): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 12): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 13): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 14): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 15): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value (CPU 16): 80 88 01 02 00 00 00 00 bd f1 e1 4e 2c 7f 00 00 value (CPU 17): 61 18 7e 00 00 00 00 00 18 00 00 00 30 00 00 00 value (CPU 18): 80 a7 6a 41 2c 7f 00 00 10 00 00 00 30 00 00 00 value (CPU 19): 50 a7 6a 41 2c 7f 00 00 90 a6 6a 41 2c 7f 00 00 value (CPU 20): 83 00 00 85 08 00 00 00 80 88 01 02 00 00 00 00 value (CPU 21): a0 c2 17 4f 2c 7f 00 00 80 92 01 02 00 00 00 00 value (CPU 22): 00 00 00 00 00 00 00 00 18 00 00 00 30 00 00 00 value (CPU 23): d0 a7 6a 41 2c 7f 00 00 10 a7 6a 41 2c 7f 00 00 value (CPU 24): 00 00 00 00 00 00 00 00 58 21 7d 00 00 00 00 00 value (CPU 25): 08 00 00 00 00 00 00 00 80 88 01 02 00 00 00 00 value (CPU 26): a0 c2 17 4f 2c 7f 00 00 e8 fa 36 04 2c 7f 00 00 value (CPU 27): 0d 9d 01 00 00 00 00 00 54 dd 2c 04 2c 7f 00 00 value (CPU 28): 65 97 01 00 00 00 00 00 d0 81 5c 00 00 00 00 00 value (CPU 29): a8 05 00 00 00 00 00 00 e0 a9 6a 41 2c 7f 00 00 value (CPU 30): b0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 value (CPU 31): 06 00 00 00 00 00 00 00 90 b2 6a 41 2c 7f 00 00 Found 12 elements # gdb --args suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vvv GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from suricata...done. warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts of file /usr/bin/suricata. Use `info auto-load python-scripts [REGEXP]' to list them. (gdb) run Starting program: /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vvv [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [29505] 20/11/2019 -- 19:41:06 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.1-dev (0824b0413 2019-11-02) running in SYSTEM mode [29505] 20/11/2019 -- 19:41:06 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16 [29505] 20/11/2019 -- 19:41:06 - (util-device.c:286) <Config> (LiveBuildDeviceListCustom) -- Adding interface enp4s0f0 from config file [29505] 20/11/2019 -- 19:41:06 - (util-device.c:286) <Config> (LiveBuildDeviceListCustom) -- Adding interface enp4s0f1 from config file [29505] 20/11/2019 -- 19:41:06 - (app-layer-htp.c:2442) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 31402 and 'request-body-inspect-window' set to 4108 after randomization. [29505] 20/11/2019 -- 19:41:06 - (app-layer-htp.c:2460) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 41416 and 'response-body-inspect-window' set to 16938 after randomization. [29505] 20/11/2019 -- 19:41:06 - (app-layer-smb.c:344) <Config> (RegisterSMBParsers) -- SMB stream depth: 0 [29505] 20/11/2019 -- 19:41:06 - (app-layer-modbus.c:1523) <Config> (RegisterModbusParsers) -- Protocol detection and parser disabled for modbus protocol. [29505] 20/11/2019 -- 19:41:06 - (app-layer-enip.c:422) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol. [29505] 20/11/2019 -- 19:41:06 - (app-layer-dnp3.c:1626) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3. [29505] 20/11/2019 -- 19:41:06 - (host.c:254) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [29505] 20/11/2019 -- 19:41:06 - (host.c:277) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136 [29505] 20/11/2019 -- 19:41:06 - (host.c:279) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432 [29505] 20/11/2019 -- 19:41:06 - (util-coredump-config.c:149) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited. [29505] 20/11/2019 -- 19:41:06 - (suricata.c:2648) <Info> (PostDeviceFinalizedSetup) -- AF_PACKET: Setting IPS mode [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:248) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:273) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160 [29505] 20/11/2019 -- 19:41:06 - (defrag-hash.c:280) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 33554432 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:399) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread) [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:430) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:447) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:475) <Config> (StreamTcpInitConfig) -- stream."inline": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:488) <Config> (StreamTcpInitConfig) -- stream "bypass": enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:510) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:532) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:550) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:626) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2468 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:628) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2663 [29505] 20/11/2019 -- 19:41:06 - (stream-tcp.c:640) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled [29505] 20/11/2019 -- 19:41:06 - (stream-tcp-reassemble.c:373) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048 [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'anomaly' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'http' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns' [29505] 20/11/2019 -- 19:41:06 - (output-json-dns.c:540) <Config> (JsonDnsParseVersion) -- eve-log dns version not set, defaulting to version 2 [29505] 20/11/2019 -- 19:41:06 - (output-json-dns.c:540) <Config> (JsonDnsParseVersion) -- eve-log dns version not set, defaulting to version 2 [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tls' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'files' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smtp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ftp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'nfs' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smb' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tftp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ikev2' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'krb5' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'snmp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dhcp' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ssh' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'stats' [29505] 20/11/2019 -- 19:41:06 - (runmodes.c:625) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow' [29505] 20/11/2019 -- 19:41:06 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [29505] 20/11/2019 -- 19:41:06 - (suricata.c:2468) <Config> (SetupDelayedDetect) -- Delayed detect disabled [29505] 20/11/2019 -- 19:41:06 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:1969) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: ac, SPM: bm [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2368) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2392) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060 [29505] 20/11/2019 -- 19:41:06 - (detect-engine.c:2420) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr [29505] 20/11/2019 -- 19:41:06 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr [29505] 20/11/2019 -- 19:41:06 - (reputation.c:607) <Config> (SRepInit) -- IP reputation disabled [29505] 20/11/2019 -- 19:41:06 - (detect-engine-loader.c:249) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/suricata.rules [29505] 20/11/2019 -- 19:41:08 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 23913 rules successfully loaded, 0 rules failed [29505] 20/11/2019 -- 19:41:08 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet [29505] 20/11/2019 -- 19:41:08 - (detect-engine-mpm.c:470) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 23917 signatures processed. 1053 are IP-only rules, 5092 are inspecting packet payload, 17505 inspect application layer, 103 are decoder event only [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1419) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- TCP toserver: 41 port groups, 35 unique SGH's, 6 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- UDP toserver: 41 port groups, 36 unique SGH's, 5 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1259) <Perf> (RulesGroupByPorts) -- UDP toclient: 21 port groups, 15 unique SGH's, 6 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1005) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies [29505] 20/11/2019 -- 19:41:09 - (detect-engine-build.c:1042) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [29505] 20/11/2019 -- 19:41:16 - (detect-engine-build.c:1784) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 109 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 28 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 20 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 28 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 21 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 36 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 15 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1149) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri (http)": 9 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body (http)": 4 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header (http)": 8 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header (http)": 8 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header_names (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_len (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http.server (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_start (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method (http)": 3 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie (http)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent (http)": 6 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code (http)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 4 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 3 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_issuer (tls)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_subject (tls)": 2 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_serial (tls)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh.proto (ssh)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient ssh.proto (ssh)": 1 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smtp)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smb)": 5 [29505] 20/11/2019 -- 19:41:16 - (detect-engine-mpm.c:1157) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (smb)": 5 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:272) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enp4s0f0->enp4s0f1 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp4s0f0) [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:391) <Config> (ParseAFPConfig) -- Using pinned maps on iface enp4s0f0 [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp4s0f0) [29505] 20/11/2019 -- 19:41:18 - (util-ebpf.c:324) <Info> (EBPFLoadFile) -- Loaded pinned maps, will use already loaded eBPF filter [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:528) <Info> (ParseAFPConfig) -- Loaded pinned maps from sysfs [29505] 20/11/2019 -- 19:41:18 - (util-ioctl.c:767) <Info> (GetIfaceRSSQueuesNum) -- Found 16 RX RSS queues for 'enp4s0f0' [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:637) <Perf> (ParseAFPConfig) -- 16 RSS queues, so using 16 threads [29505] 20/11/2019 -- 19:41:18 - (runmode-af-packet.c:643) <Perf> (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface enp4s0f0 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:700) <Config> (ParseAFPConfig) -- enp4s0f0: enabling zero copy mode by using data release call [29505] 20/11/2019 -- 19:41:19 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [New Thread 0x7ffff42f4700 (LWP 29510)] [New Thread 0x7ffff3af3700 (LWP 29511)] [New Thread 0x7ffff32f2700 (LWP 29512)] [New Thread 0x7ffff2af1700 (LWP 29513)] [New Thread 0x7ffff22f0700 (LWP 29514)] [New Thread 0x7ffff1aef700 (LWP 29515)] [New Thread 0x7ffff12ee700 (LWP 29516)] [New Thread 0x7ffff0aed700 (LWP 29517)] [New Thread 0x7ffff02ec700 (LWP 29518)] [New Thread 0x7fffefaeb700 (LWP 29519)] [New Thread 0x7fffef2ea700 (LWP 29520)] [New Thread 0x7fffe957d700 (LWP 29521)] [New Thread 0x7fffe8d7c700 (LWP 29522)] [New Thread 0x7fffb3fff700 (LWP 29523)] [New Thread 0x7fffb37fe700 (LWP 29524)] [New Thread 0x7fffb2ffd700 (LWP 29525)] [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:272) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enp4s0f1->enp4s0f0 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp4s0f1) [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:391) <Config> (ParseAFPConfig) -- Using pinned maps on iface enp4s0f1 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp4s0f1) [29505] 20/11/2019 -- 19:41:19 - (util-ebpf.c:324) <Info> (EBPFLoadFile) -- Loaded pinned maps, will use already loaded eBPF filter [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:528) <Info> (ParseAFPConfig) -- Loaded pinned maps from sysfs [29505] 20/11/2019 -- 19:41:19 - (util-ioctl.c:767) <Info> (GetIfaceRSSQueuesNum) -- Found 16 RX RSS queues for 'enp4s0f1' [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:637) <Perf> (ParseAFPConfig) -- 16 RSS queues, so using 16 threads [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:643) <Perf> (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface enp4s0f1 [29505] 20/11/2019 -- 19:41:19 - (runmode-af-packet.c:700) <Config> (ParseAFPConfig) -- enp4s0f1: enabling zero copy mode by using data release call [29505] 20/11/2019 -- 19:41:19 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [New Thread 0x7fffb27fc700 (LWP 29526)] [29526] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29526] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb1ffb700 (LWP 29527)] [29527] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29527] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb17fa700 (LWP 29528)] [29528] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29528] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fffb0ff9700 (LWP 29529)] [29529] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29529] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff93fff700 (LWP 29530)] [29530] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29530] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff937fe700 (LWP 29531)] [29531] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29531] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff92ffd700 (LWP 29532)] [29532] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29532] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff927fc700 (LWP 29533)] [29533] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29533] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff91ffb700 (LWP 29534)] [29534] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29534] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff917fa700 (LWP 29535)] [29535] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29535] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff90ff9700 (LWP 29536)] [29536] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29536] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff73fff700 (LWP 29537)] [29537] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29537] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff737fe700 (LWP 29538)] [29538] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29538] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff72ffd700 (LWP 29539)] [29539] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29539] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff727fc700 (LWP 29540)] [29540] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29540] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [New Thread 0x7fff71ffb700 (LWP 29541)] [29541] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f1' [29541] 20/11/2019 -- 19:41:19 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enp4s0f0' [29505] 20/11/2019 -- 19:41:19 - (flow-manager.c:893) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads [New Thread 0x7fff717fa700 (LWP 29542)] [29505] 20/11/2019 -- 19:41:19 - (flow-manager.c:1054) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads [New Thread 0x7fff70ff9700 (LWP 29543)] [New Thread 0x7fff53fff700 (LWP 29544)] [New Thread 0x7fff537fe700 (LWP 29545)] Thread 36 "FB" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff53fff700 (LWP 29544)] 0x0000000000883b08 in EBPFForEachFlowV4Table (th_v=0x82eaec0, dev=0x13543d0, name=0xfa1c27 "flow_table_v4", ctime=0x7fff53ffcb08, tcfg=0x36e90f0, EBPFOpFlowForKey=0x883f30 <EBPFCreateFlowForKey>) at util-ebpf.c:728 728 pkts_cnt += BPF_PERCPU(values_array, i).packets; (gdb) bt #0 0x0000000000883b08 in EBPFForEachFlowV4Table (th_v=0x82eaec0, dev=0x13543d0, name=0xfa1c27 "flow_table_v4", ctime=0x7fff53ffcb08, tcfg=0x36e90f0, EBPFOpFlowForKey=0x883f30 <EBPFCreateFlowForKey>) at util-ebpf.c:728 #1 0x0000000000883534 in EBPFCheckBypassedFlowCreate (th_v=0x82eaec0, curtime=0x7fff53ffcb08, data=0x36e90f0) at util-ebpf.c:908 #2 0x00000000006b0fdd in BypassedFlowManager (th_v=0x82eaec0, thread_data=0x7fff4c000b20) at flow-bypass.c:80 #3 0x0000000000841a48 in TmThreadsManagement (td=0x82eaec0) at tm-threads.c:706 #4 0x00007ffff695f6db in start_thread (arg=0x7fff53fff700) at pthread_create.c:463 #5 0x00007ffff5dc388f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
here is my suricata.yaml
af-packet: - interface: enp4s0f0 threads: auto cluster-id: 99 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f1 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf - interface: enp4s0f1 threads: auto cluster-id: 100 cluster-type: cluster_qm defrag: yes use-mmap: yes bypass: yes ring-size: 200000 copy-mode: ips copy-iface: enp4s0f0 xdp-mode: driver pinned-maps: true pinned-maps-name: flow_table_v4 xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
this is on Ubuntu 18.04.03 kernel 5.0.0-36-generic , please let me know what other information you need.
Actions