Project

General

Profile

Actions

Bug #623

closed

1.4b2 core dump with pf_ring and PAE kernel

Added by Matt Carothers almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When running under CentOS 5.8 kernel 2.6.18-308.16.1.el5PAE with PF_RING support compiled in, Suricata dumps core. If I boot into 2.6.18-308.16.1.el5, it runs without issue, but of course most of my RAM doesn't show up.

9/11/2012 -- 18:35:29 - <Info> - This is Suricata version 1.4beta2 RELEASE
9/11/2012 -- 18:35:29 - <Info> - CPUs/cores online: 24
9/11/2012 -- 18:35:29 - <Info> - Found an MTU of 1500 for 'eth5'
9/11/2012 -- 18:35:29 - <Info> - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32
9/11/2012 -- 18:35:29 - <Info> - preallocated 65535 defrag trackers of size 108
9/11/2012 -- 18:35:29 - <Info> - defrag memory usage: 9174932 bytes, maximum: 33554432
9/11/2012 -- 18:35:29 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
9/11/2012 -- 18:35:29 - <Info> - preallocated 2048 packets. Total memory 6316032
9/11/2012 -- 18:35:29 - <Info> - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32
9/11/2012 -- 18:35:29 - <Info> - preallocated 1000 hosts of size 76
9/11/2012 -- 18:35:29 - <Info> - host memory usage: 207072 bytes, maximum: 16777216
9/11/2012 -- 18:35:29 - <Info> - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32
9/11/2012 -- 18:35:29 - <Info> - preallocated 10000 flows of size 200
9/11/2012 -- 18:35:29 - <Info> - flow memory usage: 4097152 bytes, maximum: 33554432
9/11/2012 -- 18:35:29 - <Info> - using magic-file /usr/share/file/magic
9/11/2012 -- 18:35:29 - <Info> - Delayed detect disabled
9/11/2012 -- 18:35:31 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata/etc/rules/emerging-virus.rules: No such file or directory.
9/11/2012 -- 18:35:34 - <Info> - 44 rule files processed. 11959 rules successfully loaded, 0 rules failed
9/11/2012 -- 18:35:39 - <Info> - 11960 signatures processed. 727 are IP-only rules, 3663 are inspecting packet payload, 9182 inspect application layer, 0 are decoder event only
9/11/2012 -- 18:35:39 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
9/11/2012 -- 18:35:39 - <Info> - building signature grouping structure, stage 2: building source address list... complete
9/11/2012 -- 18:35:41 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
9/11/2012 -- 18:35:42 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/threshold.config": No such file or directory
9/11/2012 -- 18:35:42 - <Info> - Core dump size set to unlimited.
9/11/2012 -- 18:35:42 - <Info> - fast output device (regular) initialized: fast.log
9/11/2012 -- 18:35:42 - <Info> - Using 2 live device(s).
9/11/2012 -- 18:35:42 - <Info> - Unable to find pfring config for interface eth4, using default value or 1.0 configuration system.
/root/suricata/suricata.sh: line 3: 16144 Segmentation fault (core dumped) LD_LIBRARY_PATH=/opt/suricata/lib:/opt/pfring/lib /opt/suricata/bin/suricata --pfring-int=eth4 --pfring-int=eth5 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /opt/suricata/etc/suricata.yaml

Core: http://www.incorrect.org/core.7007.bz2

Configured: ./configure --prefix=/opt/suricata --enable-pfring --with-libpfring-libraries=/opt/pfring/lib --with-libpfring-includes=/opt/pfring/include

It runs without issue if I compile it without PF_RING support.

Actions

Also available in: Atom PDF