Snort mailing list archives

Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http)

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Wed, 19 Jan 2022 19:15:02 +0300

Hello, I have snort 3.1.20 running on 16-core CPU with 2 interfaces.
Also good traffic goes through snort, and appid detect applications from it
(as shown below in Statistics)
And  snort randomly does segfalts, also segfault and even GP occurred when
snort disabled.
If I configure number of threads to 8 or 4 or 2 - then all *OK*, no
segfaults and snort runs OK.

I think it is only when a lot of CPUs used. And number of ifaces
significantly less then number of threads.

Segfaults are in
1. During running: *Inspector:add_ref() *function in  *lock add dword ptr
[rax+rdx*4], 1*
2. During stopping by sending SIGTERM: InspectorManager:thread_stop()
after* get_thread_local_plugin(). *I think it in the* if (
phg.instance_initialized ) ,* when *phg* is NULL or smth..

*My config is next:*
(removed dofiles (magic and defaults))
HOME_NET = "any"

EXTERNAL_NET = "any"

dofile("/etc/snort/snort_defaults.lua")

dofile(""/etc/snort/file_magic.lua")
references = default_references
classifications = default_classifications
output = { logdir="/var/log/snort/", show_year=true}
process = { daemon=true, chroot="/" }
snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true,
        ["-z"] = 0, ["--id-zero"] = true}
ips = { mode = "tap", enable_builtin_rules = false, variables =
default_variables }
perf_monitor = { base = false, format = "text", max_file_size=100999999999 }
alerts = { order ="pass reset block drop alert log" }
binder={
{use = { type = "ssl" }, when = { service = "ssl" }},
{ use = { type = "http_inspect" }, when = { service = "http" } },
{ use = { type = "wizard" } }
}
wizard = default_wizard
stream={}
stream_tcp={}
stream_udp={}
http_inspect={}
ssl={}
appid = { rna_conf_path = "/tmp/rna.conf",  app_stats_rollover_size=0,
app_detector_dir = "/var/cache/snort/openappid/" }

ips.mode="tap"
daq = { module_dirs = { "/usr/lib/daq" } }
daq.inputs = {'eth0','eth2'}
daq.modules = { { name = 'afpacket', mode='passive' } }
daq.modules[1].variables = { 'debug'}

=====
Content of /tmp/rna.conf:

config Analyze 0.0.0.0/0 -1

=========================
*Some statistics:*

--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 10956
                 analyzed: 10940
              outstanding: 16
                    allow: 10940
                 rx_bytes: 3722585
--------------------------------------------------
codec
                    total: 10940       #011(100.000%)
                    other: 39          #011(  0.356%)
                 discards: 3762        #011( 34.388%)
                      arp: 87          #011(  0.795%)
                      eth: 10940       #011(100.000%)
                    icmp4: 74          #011(  0.676%)
                    icmp6: 258         #011(  2.358%)
                     ipv4: 10720       #011( 97.989%)
                     ipv6: 321         #011(  2.934%)
            ipv6_hop_opts: 217         #011(  1.984%)
                      llc: 8           #011(  0.073%)
                      tcp: 8201        #011( 74.963%)
                   teredo: 32          #011(  0.293%)
                      udp: 1717        #011( 15.695%)

Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Services   Clients    Users      Payloads   Misc
      Referred
                   dhcpv6: 14         0          0          0          0
       0
                      dns: 0          28         0          0          0
       0
                     http: 3          0          0          0          0
       0
                      ntp: 24         0          0          0          0
       0
                    https: 21         0          0          0          0
       0
                     mdns: 14         0          0          0          0
       0
                 telegram: 0          108        0          0          0
       0
           dns_over_https: 129        0          0          0          0
       0
                  unknown: 755        0          0          24         0
       0

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 19)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 19)
  - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 20)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 20)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 24)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 24)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Jan 25)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 25)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 25)
    - Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 26)