Bug #14898
closed
Suricata core dumps with signal 11
Added by Marcos M 9 months ago. Updated 7 months ago.
100%
Description
I installed Suricata on a system with previous config using Legacy Mode, Enable/Disable/Drop SID lists. After attempting to start it without performing other actions, it crashed:
Oct 19 10:38:12 kernel pid 18065 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)
I then went to Services > Suricata > SID Management, checked Rebuild, and saved. That caused it to rebuild, but it crashed again (log reversed):
Oct 19 10:44:20 kernel pid 38878 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)
Oct 19 10:44:20 php 31813 [Suricata] Suricata START for WAN...
Oct 19 10:44:19 php 31813 [Suricata] Building new sid-msg.map file for ISP1...
Oct 19 10:44:19 php 31813 [Suricata] Enabling any flowbit-required rules for: ISP1...
Oct 19 10:44:17 php 31813 [Suricata] Updating rules configuration for: ISP1 ...
Oct 19 10:44:16 php-fpm 410 Starting Suricata on ISP1 per user request...
Manually starting it again then succeeded (and continued to work after rebooting):
root 58585 0.2 7.2 651116 596984 - Ss 10:47 1:04.36 |-- /usr/local/bin/suricata -i vmx1 -D -c /usr/local/etc/suricata/suricata_41734_vmx1/suricata.yaml --pidfile /var/run/suricata_vmx141734.pid
Files
| coredump.7z (644 KB) coredump.7z | Marcos M, 10/19/2023 04:55 PM | ||
| suricata.zip (1.8 MB) suricata.zip | Marcos M, 10/31/2023 11:33 PM |
Updated by Marcos M 9 months ago
- File suricata.zip suricata.zip added
This time it continued to crash after an update to the latest 23.09 snap. It seems to be related to the existence of a VIP.
With the IP Alias VIP 2001:db8:db8:ccc::a/128:
ShowHide
# ifconfig
[23.09-RELEASE][root@]/root: ifconfig lo0
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0x0
inet 172.25.0.1 netmask 0xffffffff
inet 169.254.1.1 netmask 0xffffffff
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 2001:db8:db8:5::40 prefixlen 128
inet6 2001:db8:db8:ccc::a prefixlen 128
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# System log (reversed)
Oct 31 17:13:42 kernel pid 55419 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)
Oct 31 17:13:42 php 79817 [Suricata] Suricata START for WAN(vmx1)...
Oct 31 17:13:41 php 79817 [Suricata] Building new sid-msg.map file for ISP1...
Oct 31 17:13:41 php 79817 [Suricata] Enabling any flowbit-required rules for: ISP1...
Oct 31 17:13:39 php 79817 [Suricata] Updating rules configuration for: ISP1 ...
Oct 31 17:13:38 php-fpm 39469 Starting Suricata on ISP1(vmx1) per user request...
# Suricata log
[104147 - Suricata-Main] 2023-10-31 17:13:42 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[104147 - Suricata-Main] 2023-10-31 17:13:42 Info: cpu: CPUs/cores online: 4
[104147 - Suricata-Main] 2023-10-31 17:13:42 Info: suricata: Setting engine mode to IDS mode by default
[104147 - Suricata-Main] 2023-10-31 17:13:42 Info: app-layer-htp-mem: HTTP memcap: 67108864
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Creating automatic firewall interface IP address Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0 IPv4 address 10.0.1.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx1 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:b189 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx1 IPv4 address 192.168.100.2 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx2 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx2 IPv4 address 192.168.1.253 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx2 IPv6 address fd6d:2aa9:fc80:0000:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx2 IPv6 address 2001:0db8:0003:39c5:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address 2001:0db8:0db8:0005:0000:0000:0000:0040 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv4 address 172.25.0.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv4 address 169.254.1.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address 2001:0db8:0db8:0ccc:0000:0000:0000:000a to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.5 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.5 IPv4 address 10.0.5.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.5 IPv6 address 2001:0db8:0db8:0005:0005:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.10 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.10 IPv4 address 10.0.10.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.10 IPv6 address 2001:0db8:0db8:0010:0010:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.20 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.20 IPv4 address 10.0.20.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.20 IPv6 address 2001:0db8:0db8:0020:0020:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.50 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.50 IPv4 address 10.0.50.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.50 IPv6 address 2001:0db8:0db8:0050:0050:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.100 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.100 IPv4 address 10.0.100.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.100 IPv6 address 2001:0db8:0db8:0100:0100:0000:0000:0001 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.6 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface vmx0.6 IPv4 address 172.21.96.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface gif0 IPv6 address 2001:0db8:0001:0476:0000:0000:0000:0002 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface gif0 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpns1 IPv4 address 172.25.1.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpnc2 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpnc2 IPv4 address 172.27.114.161 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpnc2 IPv6 address 2001:0db8:0002:f114:0000:0000:0000:101f to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpnc3 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface ovpnc3 IPv4 address 172.17.5.2 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Adding firewall interface tun_wg0 IPv4 address 172.25.200.1 to automatic interface IP Pass List.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: logopenfile: alert-pf output device (regular) initialized: block.log
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_41734_vmx1/passlist.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_41734_vmx1/passlist processed: Total entries parsed: 58, IP addresses/netblocks/aliases added to No Block list: 46, IP addresses/netblocks ignored because they were covered by existing entries: 12.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses.
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=yes passlist-debugging=no
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: logopenfile: fast output device (regular) initialized: alerts.log
[100259 - Suricata-Main] 2023-10-31 17:13:42 Info: logopenfile: http-log output device (regular) initialized: http.log
[112965 - ] 2023-10-31 17:13:42 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started.
After removing the VIP, it then starts: ShowHide
# REMOVE VIP
Oct 31 17:15:09 check_reload_status 1389 Reloading filter
Oct 31 17:15:09 check_reload_status 1389 Syncing firewall
Oct 31 17:15:09 php-fpm 39469 /firewall_virtual_ip.php: Configuration Change: admin@10.0.5.50 (Local Database): Deleted a virtual IP.
# ifconfig
[23.09-RELEASE][root@gw.marc05.net]/root: ifconfig lo0
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0x0
inet 172.25.0.1 netmask 0xffffffff
inet 169.254.1.1 netmask 0xffffffff
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 2001:db8:db8:5::40 prefixlen 128
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# System log (reversed)
Oct 31 17:15:58 php 13505 [Suricata] Suricata START for WAN(vmx1)...
Oct 31 17:15:57 php 13505 [Suricata] Building new sid-msg.map file for ISP1...
Oct 31 17:15:57 php 13505 [Suricata] Enabling any flowbit-required rules for: ISP1...
Oct 31 17:15:55 php 13505 [Suricata] Updating rules configuration for: ISP1 ...
Oct 31 17:15:55 php-fpm 47233 Starting Suricata on ISP1(vmx1) per user request...
# Suricata log
[100271 - Suricata-Main] 2023-10-31 17:15:58 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[100271 - Suricata-Main] 2023-10-31 17:15:58 Info: cpu: CPUs/cores online: 4
[100271 - Suricata-Main] 2023-10-31 17:15:58 Info: suricata: Setting engine mode to IDS mode by default
[100271 - Suricata-Main] 2023-10-31 17:15:58 Info: app-layer-htp-mem: HTTP memcap: 67108864
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Creating automatic firewall interface IP address Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0 IPv4 address 10.0.1.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx1 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:b189 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx1 IPv4 address 192.168.100.2 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx2 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx2 IPv4 address 192.168.1.253 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx2 IPv6 address fd6d:2aa9:fc80:0000:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx2 IPv6 address 2001:0db8:0003:39c5:0250:56ff:feb2:d46f to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv6 address 2001:0db8:0db8:0005:0000:0000:0000:0040 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv4 address 172.25.0.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface lo0 IPv4 address 169.254.1.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.5 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.5 IPv4 address 10.0.5.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.5 IPv6 address 2001:0db8:0db8:0005:0005:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.10 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.10 IPv4 address 10.0.10.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.10 IPv6 address 2001:0db8:0db8:0010:0010:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.20 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.20 IPv4 address 10.0.20.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.20 IPv6 address 2001:0db8:0db8:0020:0020:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.50 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.50 IPv4 address 10.0.50.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.50 IPv6 address 2001:0db8:0db8:0050:0050:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.100 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.100 IPv4 address 10.0.100.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.100 IPv6 address 2001:0db8:0db8:0100:0100:0000:0000:0001 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.6 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface vmx0.6 IPv4 address 172.21.96.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface gif0 IPv6 address 2001:0db8:0001:0476:0000:0000:0000:0002 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface gif0 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpns1 IPv4 address 172.25.1.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpnc2 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpnc2 IPv4 address 172.27.114.161 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpnc2 IPv6 address 2001:0db8:0002:f114:0000:0000:0000:101f to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpnc3 IPv6 address fe80:0000:0000:0000:0250:56ff:feb2:8560 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface ovpnc3 IPv4 address 172.17.5.2 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Adding firewall interface tun_wg0 IPv4 address 172.25.200.1 to automatic interface IP Pass List.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: logopenfile: alert-pf output device (regular) initialized: block.log
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_41734_vmx1/passlist.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_41734_vmx1/passlist processed: Total entries parsed: 57, IP addresses/netblocks/aliases added to No Block list: 46, IP addresses/netblocks ignored because they were covered by existing entries: 11.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses.
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=yes passlist-debugging=no
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: logopenfile: fast output device (regular) initialized: alerts.log
[104141 - Suricata-Main] 2023-10-31 17:15:58 Info: logopenfile: http-log output device (regular) initialized: http.log
[113902 - ] 2023-10-31 17:15:58 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started.
[104141 - Suricata-Main] 2023-10-31 17:16:02 Info: detect-parse: Rule with ID 2026440 is bidirectional, but source and destination are the same, treating the rule as unidirectional
New core dump is attached.
Updated by Bill Meeks 8 months ago
Thank you Marcos for the hint about the VIP. I am investigating. The crash is happening within a portion of the custom Legacy Blocking Mode plugin used on pfSense (via a custom patch) where a thread is created to subscribe to and monitor system routing messages so Suricata is aware of any firewall interface IP changes and therefore will not block them.
Updated by Bill Meeks 8 months ago
I have not been able to reliably reproduce this crash, but I am testing on pfSense 2.7.0 CE with the latest Suricata 7.0.2 binary from upstream and not on pfSense Plus 23.09 as Marcos did. I can add and remove a virtual IP from pfSense without producing a crash during the operation. I tested adding the exact same IPv6 address as noted above to the localhost interface. I can see the kernel socket routing messages logged in the suricata.log file as expected when I add or delete the virtual IP on the interface. So, I'm not sure now my original hypothesis is valid.
Here is a log snippet showing the automatic firewall interface IP address monitoring thread sensing the addition of a virtual IP to a firewall interface from the option under FIREWALL > VIRTUAL IPs and then updating the internal automatic interface Pass List within the custom blocking module:
[100389 - ] 2023-11-09 14:18:47 Info: alert-pf: Received notification of IP address change on firewall interface lo0.
[100389 - ] 2023-11-09 14:18:47 Info: alert-pf: Added address 2001:0db8:0db8:0ccc:0000:0000:0000:000a to automatic firewall interface IP Pass List.
During another unrelated operation, my running Suricata instance on the test firewall did crash with a Signal 11 core dump. That dump indicated the crash occurred in the DatasetsInit() function, but the binary I was using was not built with debugging enabled and so there was no further helpful information. I've since compiled a 7.0.2 binary with debugging enabled and am letting it run hoping for another crash so I can examine the core file for a clue. This certainly appears to be somewhat random. At least two or three other users have reported similar Signal 11 Suricata crashes with the latest update.
Updated by Bill Meeks 8 months ago
I may have found the culprit here (quite by accident I will admit). I think this commit by Kristof Provost might have fixed the Signal 11:
I stumbled across it while trying to figure out why my diff patch for some changes I was making to the Legacy Blocking Mode custom plugin was seemingly omitting some code I had never seen when creating a Pull Request on the FreeBSD-ports repo of pfSense. Turns out Kristof made the change last week. I was not aware of the change and continued to work with my own private copy of the full source file for the custom blocking plugin. I have synced my full source file with Kristof's changes so we are good going forward.
Please retest this scenario after I post the Suricata 7.0.2 package to the DEVEL snapshots branch.
Updated by Kris Phillips 8 months ago
- Status changed from New to Confirmed
Users on the forums seem to have worked around the issue and seem to believe it's a Hyperscan issue.
https://forum.netgate.com/topic/183878/after-upgrade-to-pf-23-09-surricata-says-it-s-starting-but
Seems we have enough information to confirm this is an issue, so I'm marking this as Confirmed.
Updated by Bill Meeks 8 months ago
Kris Phillips wrote in #note-5:
Users on the forums seem to have worked around the issue and seem to believe it's a Hyperscan issue.
https://forum.netgate.com/topic/183878/after-upgrade-to-pf-23-09-surricata-says-it-s-starting-but
Seems we have enough information to confirm this is an issue, so I'm marking this as Confirmed.
No, let's be careful here not to confuse the two. There are two separate bugs that produce two different types of failure.
The Hyperscan bug is an erroneous Fatal Error call made by the Suricata binary in response to the Hyperscan library failing to compile certain pattern matcher patterns. That bug was fixed in Suricata binary version 7.0.1 upstream. The fix made upstream changes the internal Suricata code so that instead of calling its internal FatalErrorExit() function, it simply logs the failure to compile in suricata.log and then continues on ignoring just that particular pattern that failed to compile in Hyperscan. The 7.0.2 Suricata binary containing this upstream fix is in the pfSense 23.09 repo and awaiting package build and deployment.
The other problem causing the Signal 11 is potentially an issue around recent changes in the custom blocking plugin to accomodate libpfctl enhancements in FreeBSD. This bug is also manifesting in the Snort package because the custom blocking plugin used in the two packages shares much common code. The Signal 11 bug is still being actively investigated. I have experienced the bug three times now over the last 2 days testing on a CE 2.7.0-RELEASE machine. Unfortunately the actual cause has not been identified yet, but I'm searching. It takes a bit for the bug to trigger (an hour and sometimes many hours). That's why I initially had difficulty reproducing it.
Updated by Bill Meeks 8 months ago
This bug has likely been traced to the particular version of the libpfctl library bundled with pfSense CE 2.7.0, 2.7.1, and pfSense Plus 23.09. A fix for the libpfctl library package was submitted by its maintainer here: https://github.com/pfsense/FreeBSD-ports/commit/36019faf7b771be00808b184eda565f346c5ed5b.
Some additional code cleanup was done in the Suricata custom output plugin used on pfSense to implement Legacy Blocking Mode. The pull request containing those code fixes is awaiting review and merge here: https://github.com/pfsense/FreeBSD-ports/pull/1325.
After these changes are all merged and new packages are built, final confirmation testing can performed.
Updated by Bill Meeks 7 months ago
Pull request 1333 for the RELENG_2_7_2 branch of FreeBSD-ports has been submitted to address this issue.
Updated by Jim Pingle 7 months ago
- Status changed from Confirmed to Resolved
- % Done changed from 0 to 100
PRs merged, thanks!
Updated by Bill Meeks 7 months ago
Additional update for this issue for a complete history:
Two additional heap memory buffer overflow bugs were recently discovered in the custom Legacy Blocking Module code used with Suricata on pfSense. Those memory overflows were found during testing with the llvm ASAN tool enabled. It is highly likely these memory buffer overflows contributed to the Hyperscan bug and to other Signal 11 segfault bugs (including the one described in this issue) experienced when using Legacy Blocking Mode with Suricata 7.x. The newly identified bugs were fixed in this pull request: https://github.com/pfsense/FreeBSD-ports/pull/1337.