Snort mailing list archives
Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http)
From: "Steven Baigal \(sbaigal\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 20 Jan 2022 15:15:42 +0000
You are right, perf_monitor.base = false, will disable reporting base stats. By the way, you can change the process affinity with process.thread configuration, and see if it can make any differences. Example can be found from here: https://github.com/snort3/snort3_demo/blob/master/perf/3.0/common.lua From: Meridoff <oagvozd () gmail com> Date: Thursday, January 20, 2022 at 5:36 AM To: Steven Baigal (sbaigal) <sbaigal () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: [Snort-devel] Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Sure, will do that. But perfmon is disabled,and do nothing, because perfmon.base=false. It doesn't collect statistics with such setup, isn't it? ср, 19 янв. 2022 г., 19:50 Steven Baigal (sbaigal) <sbaigal () cisco com<mailto:sbaigal () cisco com>>: Thanks for reporting the issue, could you share the backtrace from the crash? Also, I noticed you have enabled perf_monitor, please specify which peg count from what module to limit output size, otherwise snort will try to collect all stats from all modules, when appid is enabled, the peg counts for each collection will exceed 3k+ for every thread. Try to comment out perf_monitor from your configuration to see if it will help. Steven B. From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Date: Wednesday, January 19, 2022 at 11:16 AM To: snort-devel () lists snort org<mailto:snort-devel () lists snort org> <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: [Snort-devel] Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Hello, I have snort 3.1.20 running on 16-core CPU with 2 interfaces. Also good traffic goes through snort, and appid detect applications from it (as shown below in Statistics) And snort randomly does segfalts, also segfault and even GP occurred when snort disabled. If I configure number of threads to 8 or 4 or 2 - then all OK, no segfaults and snort runs OK. I think it is only when a lot of CPUs used. And number of ifaces significantly less then number of threads. Segfaults are in 1. During running: Inspector:add_ref() function in lock add dword ptr [rax+rdx*4], 1 2. During stopping by sending SIGTERM: InspectorManager:thread_stop() after get_thread_local_plugin(). I think it in the if ( phg.instance_initialized ) , when phg is NULL or smth.. My config is next: (removed dofiles (magic and defaults)) HOME_NET = "any" EXTERNAL_NET = "any" dofile("/etc/snort/snort_defaults.lua") dofile(""/etc/snort/file_magic.lua") references = default_references classifications = default_classifications output = { logdir="/var/log/snort/", show_year=true} process = { daemon=true, chroot="/" } snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true, ["-z"] = 0, ["--id-zero"] = true} ips = { mode = "tap", enable_builtin_rules = false, variables = default_variables } perf_monitor = { base = false, format = "text", max_file_size=100999999999 } alerts = { order ="pass reset block drop alert log" } binder={ {use = { type = "ssl" }, when = { service = "ssl" }}, { use = { type = "http_inspect" }, when = { service = "http" } }, { use = { type = "wizard" } } } wizard = default_wizard stream={} stream_tcp={} stream_udp={} http_inspect={} ssl={} appid = { rna_conf_path = "/tmp/rna.conf", app_stats_rollover_size=0, app_detector_dir = "/var/cache/snort/openappid/" } ips.mode="tap" daq = { module_dirs = { "/usr/lib/daq" } } daq.inputs = {'eth0','eth2'} daq.modules = { { name = 'afpacket', mode='passive' } } daq.modules[1].variables = { 'debug'} ===== Content of /tmp/rna.conf: config Analyze 0.0.0.0/0<http://0.0.0.0/0> -1 ========================= Some statistics: -------------------------------------------------- Packet Statistics -------------------------------------------------- daq received: 10956 analyzed: 10940 outstanding: 16 allow: 10940 rx_bytes: 3722585 -------------------------------------------------- codec total: 10940 #011(100.000%) other: 39 #011( 0.356%) discards: 3762 #011( 34.388%) arp: 87 #011( 0.795%) eth: 10940 #011(100.000%) icmp4: 74 #011( 0.676%) icmp6: 258 #011( 2.358%) ipv4: 10720 #011( 97.989%) ipv6: 321 #011( 2.934%) ipv6_hop_opts: 217 #011( 1.984%) llc: 8 #011( 0.073%) tcp: 8201 #011( 74.963%) teredo: 32 #011( 0.293%) udp: 1717 #011( 15.695%) Appid Statistics -------------------------------------------------- detected apps and services Application: Services Clients Users Payloads Misc Referred dhcpv6: 14 0 0 0 0 0 dns: 0 28 0 0 0 0 http: 3 0 0 0 0 0 ntp: 24 0 0 0 0 0 https: 21 0 0 0 0 0 mdns: 14 0 0 0 0 0 telegram: 0 108 0 0 0 0 dns_over_https: 129 0 0 0 0 0 unknown: 755 0 0 24 0 0
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 19)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 19)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 20)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 20)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 24)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 24)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Jan 25)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 25)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 25)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 26)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 20)
- Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 19)