SELKS icon indicating copy to clipboard operation
SELKS copied to clipboard

Published 20 hours ago verified publisher icon StamusNetworks

Suricata bypass rule lead to segfault

Open dsjkee opened this issue 5 years ago • 7 comments

Hi Team, I use last SELKS version (5.0) and Suricata (5.0.0-dev (rev 69d0d484e)) in IPS mode (af_packet), and faced with some problem: after adding bypass Suricata's rule, appear segfault : [1672076.320163] W#02-ens192[23770]: segfault at 40 ip 0000561353bee7c8 sp 00007f57f50e3560 error 4 in suricata[561353b57000+47f000] Rule, for example here:

alert ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto 47;noalert;bypass;)

The same problem was resolved here https://redmine.openinfosecfoundation.org/issues/2953, but I cannot upgrade Suricata from Stamus default package (http://packages.stamus-networks.com/selks5/debian stretch/main amd64 Packages).

I need to ignore (bypass) GRE traffic.

How to resolve such problem?

dsjkee avatar Feb 08 '20 06:02 dsjkee

I will generate, test and upload the latest Suricata dev version soon (will ping you) it would be awesome if you can try it out.

Out of curiosity If you try

pass ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto 47;noalert;bypass;)

would you still have the issue ?

pevma avatar Feb 08 '20 09:02 pevma

also - did you follow the guide here - https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS ?

pevma avatar Feb 10 '20 11:02 pevma

also - did you follow the guide here - https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS ?

Yes, of cause. I was setting Suricata a few times, but such problem appeared once.

dsjkee avatar Feb 11 '20 15:02 dsjkee

I will generate, test and upload the latest Suricata dev version soon (will ping you) it would be awesome if you can try it out.

Out of curiosity If you try

pass ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto 47;noalert;bypass;)

would you still have the issue ?

Sorry for a long answer (Email notification was disabled). pass ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto 47;noalert;bypass;) this rule doesn't help - GRE packets isn't ignoring, and dropping sometimes

dsjkee avatar Feb 11 '20 15:02 dsjkee

How about if you remove the noalert from the rule?

pevma avatar Feb 11 '20 16:02 pevma

How about if you remove the noalert from the rule?

Not work (( Now apt-get install suricata output The following packages have unmet dependencies: suricata : Depends: python3-yaml but it is not installable E: Unable to correct problems, you have held broken packages

dsjkee avatar Feb 14 '20 16:02 dsjkee

What is the full output of selks-health-check_stamus ?

pevma avatar Feb 16 '20 16:02 pevma