Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http)

[Meridoff via Snort-devel <snort-devel () lists snort org>]

Sure, will do that.
But perfmon  is disabled,and do nothing, because perfmon.base=false.
It doesn't collect statistics with such setup, isn't it?

ср, 19 янв. 2022 г., 19:50 Steven Baigal (sbaigal) <sbaigal () cisco com>:

> Thanks for reporting the issue, could you share the backtrace from the
> crash?
>
> Also, I noticed you have enabled perf_monitor, please specify which peg
> count from what module to limit output size, otherwise snort will try to
> collect all stats from all modules, when appid is enabled, the peg counts
> for each collection will exceed 3k+ for every thread. Try to comment out
> perf_monitor from your configuration to see if it will help.
>
>
>
> Steven B.
>
>
>
> *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
> Meridoff via Snort-devel <snort-devel () lists snort org>
> *Date: *Wednesday, January 19, 2022 at 11:16 AM
> *To: *snort-devel () lists snort org <snort-devel () lists snort org>
> *Subject: *[Snort-devel] Snort 3.1.20: segfault when 16-core cpu, 2
> interfaces and inspector appid (with stream/ssl/http)
>
> Hello, I have snort 3.1.20 running on 16-core CPU with 2 interfaces.
>
> Also good traffic goes through snort, and appid detect applications from
> it (as shown below in Statistics)
>
> And  snort randomly does segfalts, also segfault and even GP occurred when
> snort disabled.
>
> If I configure number of threads to 8 or 4 or 2 - then all * OK*, no
> segfaults and snort runs OK.
>
>
>
> I think it is only when a lot of CPUs used. And number of ifaces
> significantly less then number of threads.
>
>
>
> Segfaults are in
>
> 1. During running: *Inspector:add_ref() *function in  * lock add dword
> ptr [rax+rdx*4], 1*
>
> 2. During stopping by sending SIGTERM: InspectorManager:thread_stop()
>
> after* get_thread_local_plugin(). *I think it in the* if (
> phg.instance_initialized ) ,* when *phg* is NULL or smth..
>
>
>
> *My config is next:*
>
> (removed dofiles (magic and defaults))
>
> HOME_NET = "any"
>
> EXTERNAL_NET = "any"
>
> dofile("/etc/snort/snort_defaults.lua")
>
> dofile(""/etc/snort/file_magic.lua")
>
> references = default_references
> classifications = default_classifications
> output = { logdir="/var/log/snort/", show_year=true}
> process = { daemon=true, chroot="/" }
> snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true,
>         ["-z"] = 0, ["--id-zero"] = true}
> ips = { mode = "tap", enable_builtin_rules = false, variables =
> default_variables }
> perf_monitor = { base = false, format = "text", max_file_size=100999999999
> }
> alerts = { order ="pass reset block drop alert log" }
> binder={
>
> {use = { type = "ssl" }, when = { service = "ssl" }},
>
> { use = { type = "http_inspect" }, when = { service = "http" } },
>
> { use = { type = "wizard" } }
>
> }
> wizard = default_wizard
> stream={}
> stream_tcp={}
> stream_udp={}
> http_inspect={}
> ssl={}
> appid = { rna_conf_path = "/tmp/rna.conf",  app_stats_rollover_size=0,
> app_detector_dir = "/var/cache/snort/openappid/" }
>
> ips.mode="tap"
> daq = { module_dirs = { "/usr/lib/daq" } }
> daq.inputs = {'eth0','eth2'}
> daq.modules = { { name = 'afpacket', mode='passive' } }
> daq.modules[1].variables = { 'debug'}
>
>
>
> =====
>
> Content of /tmp/rna.conf:
>
>
>
> config Analyze 0.0.0.0/0 -1
>
>
>
> =========================
>
> *Some statistics:*
>
>
>
> --------------------------------------------------
> Packet Statistics
> --------------------------------------------------
> daq
>                  received: 10956
>                  analyzed: 10940
>               outstanding: 16
>                     allow: 10940
>                  rx_bytes: 3722585
> --------------------------------------------------
> codec
>                     total: 10940       #011(100.000%)
>                     other: 39          #011(  0.356%)
>                  discards: 3762        #011( 34.388%)
>                       arp: 87          #011(  0.795%)
>                       eth: 10940       #011(100.000%)
>                     icmp4: 74          #011(  0.676%)
>                     icmp6: 258         #011(  2.358%)
>                      ipv4: 10720       #011( 97.989%)
>                      ipv6: 321         #011(  2.934%)
>             ipv6_hop_opts: 217         #011(  1.984%)
>                       llc: 8           #011(  0.073%)
>                       tcp: 8201        #011( 74.963%)
>                    teredo: 32          #011(  0.293%)
>                       udp: 1717        #011( 15.695%)
>
>
>
> Appid Statistics
>
> --------------------------------------------------
> detected apps and services
>               Application: Services   Clients    Users      Payloads
> Misc       Referred
>                    dhcpv6: 14         0          0          0          0
>        0
>                       dns: 0          28         0          0          0
>        0
>                      http: 3          0          0          0          0
>        0
>                       ntp: 24         0          0          0          0
>        0
>                     https: 21         0          0          0          0
>        0
>                      mdns: 14         0          0          0          0
>        0
>                  telegram: 0          108        0          0          0
>        0
>            dns_over_https: 129        0          0          0          0
>        0
>                   unknown: 755        0          0          24         0
>        0
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!