(gdb) bt #0 0x00000008029a4454 in exit () from /lib/libc.so.7 #1 0x0000000000e9bbb9 in HSScan (ctx=, thread_ctx=, haystack=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", haystack_len=) at util-spm-hs.c:156 #2 0x0000000000c8319e in AppLayerProtoDetectPMMatchSignature (s=0x80322d4e0, tctx=0x832d22080, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, flags=, searchlen=, rflow=) at app-layer-detect-proto.c:215 #3 PMGetProtoInspect (tctx=0x832d22080, pm_ctx=0x1f12c80 , mpm_tctx=, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=buflen@entry=95, flags=5 '\005', pm_results=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:296 #4 0x0000000000c795c8 in AppLayerProtoDetectPMGetProto (tctx=, f=f@entry=0x806648a80, buf=, buflen=buflen@entry=95, flags=flags@entry=5 '\005', pm_results=pm_results@entry=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:344 #5 0x0000000000c78731 in AppLayerProtoDetectGetProto (tctx=, f=f@entry=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, ipproto=ipproto@entry=6 '\006', flags=flags@entry=5 '\005', reverse_flow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:1433 #6 0x0000000000c69296 in TCPProtoDetect (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, app_tctx=app_tctx@entry=0x832d21100, p=p@entry=0x838c33200, f=f@entry=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:371 #7 0x0000000000c68c6d in AppLayerHandleTCPData (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, p=p@entry=0x838c33200, f=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:709 #8 0x0000000000b62905 in ReassembleUpdateAppLayer (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x7fffdf3f7c68, p=0x838c33200, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1328 #9 StreamTcpReassembleAppLayer (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x8338d5e20, p=p@entry=0x838c33200, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1391 #10 0x0000000000b64879 in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5e20, p=0x838c33200) at stream-tcp-reassemble.c:1949 #11 StreamTcpReassembleHandleSegment (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5d90, p=0x838c33200) at stream-tcp-reassemble.c:1997 #12 0x0000000000b9c789 in HandleEstablishedPacketToClient (tv=0x82e14bc4, tv@entry=0x80d8e0600, ssn=0x0, ssn@entry=0x8338d5d80, p=0x0, p@entry=0x838c33200, stt=0xe50a5969d84bc43d, stt@entry=0x832d60000) at stream-tcp.c:2811 #13 0x0000000000b7aa4d in StreamTcpPacketStateEstablished (tv=0x80d8e0600, p=0x838c33200, stt=0x832d60000, ssn=0x8338d5d80) at stream-tcp.c:3223 #14 StreamTcpStateDispatch (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, ssn=ssn@entry=0x8338d5d80, state=) at stream-tcp.c:5236 #15 0x0000000000b766c0 in StreamTcpPacket (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, pq=) at stream-tcp.c:5433 #16 0x0000000000b82781 in StreamTcp (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, data=0x832d60000, pq=pq@entry=0x832d18030) at stream-tcp.c:5745 #17 0x0000000000d53774 in FlowWorkerStreamTCPUpdate (tv=0x1, tv@entry=0x80d8e0600, fw=fw@entry=0x832d18000, p=p@entry=0x838c33200, detect_thread=detect_thread@entry=0x8338d7000, timeout=false) at flow-worker.c:391 #18 0x0000000000d52f4a in FlowWorker (tv=0x80d8e0600, p=0x838c33200, data=0x832d18000) at flow-worker.c:607 #19 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0600, p=0x838c33200, slot=0x8066db440) at tm-threads.c:135 #20 TmThreadsSlotVar (td=0x80d8e0600) at tm-threads.c:471 #21 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #22 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf3f8000 (gdb) bt full #0 0x00000008029a4454 in exit () from /lib/libc.so.7 No symbol table info available. #1 0x0000000000e9bbb9 in HSScan (ctx=, thread_ctx=, haystack=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", haystack_len=) at util-spm-hs.c:156 sctx = 0x80326fe00 scratch = match_offset = 18446744073709551615 err = #2 0x0000000000c8319e in AppLayerProtoDetectPMMatchSignature (s=0x80322d4e0, tctx=0x832d22080, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, flags=, searchlen=, rflow=) at app-layer-detect-proto.c:215 sbuf = 0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n" ssearchlen = 56415 found = direction = rdir = r = #3 PMGetProtoInspect (tctx=0x832d22080, pm_ctx=0x1f12c80 , mpm_tctx=, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=buflen@entry=95, flags=5 '\005', pm_results=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:296 proto = s = 0x80322d4e0 cnt = 0 pm_results_bf = "\000\000\000\000" pm_matches = 0 searchlen = 17 search_cnt = #4 0x0000000000c795c8 in AppLayerProtoDetectPMGetProto (tctx=, f=f@entry=0x806648a80, buf=, buflen=buflen@entry=95, flags=flags@entry=5 '\005', pm_results=pm_results@entry=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:344 m = -1 pm_ctx = 0x0 mpm_tctx = 0x0 #5 0x0000000000c78731 in AppLayerProtoDetectGetProto (tctx=, f=f@entry=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, ipproto=ipproto@entry=6 '\006', flags=flags@entry=5 '\005', reverse_flow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:1433 pm_results = {0, 0, 0, 0, 62, 0, 0, 0, 23040, 497, 0, 0, 608, 0, 0, 0, 31376, 57151, 32767, 0, 37027, 612, 8, 0, 63098, 14529, 8, 0, 608, 0, 0, 0, 49856, 14529, 8, 0} pm_matches = alproto = 0 pm_alproto = 0 #6 0x0000000000c69296 in TCPProtoDetect (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, app_tctx=app_tctx@entry=0x832d21100, p=p@entry=0x838c33200, f=f@entry=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:371 direction = 0 '\000' alproto = 0x806648b0c alproto_otherdir = 0x806648b0e reverse_flow = false #7 0x0000000000c68c6d in AppLayerHandleTCPData (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, p=p@entry=0x838c33200, f=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, --Type for more, q to quit, c to continue without paging-- flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:709 app_tctx = 0x832d21100 r = 0 direction = 0 '\000' alproto = failure = #8 0x0000000000b62905 in ReassembleUpdateAppLayer (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x7fffdf3f7c68, p=0x838c33200, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1328 flags = gap_ahead = new_app_progress = app_progress = 0 last_ack_abs = last_was_gap = false mydata = mydata_len = 3628844093 flags = gap_ahead = new_app_progress = check_for_gap_ahead = r = no_progress_update = #9 StreamTcpReassembleAppLayer (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x8338d5e20, p=p@entry=0x838c33200, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1391 No locals. #10 0x0000000000b64879 in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5e20, p=0x838c33200) at stream-tcp-reassemble.c:1949 No locals. #11 StreamTcpReassembleHandleSegment (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5d90, p=0x838c33200) at stream-tcp-reassemble.c:1997 opposing_stream = 0x8338d5e20 reversed_before_ack_handling = reversed_after_ack_handling = dir = #12 0x0000000000b9c789 in HandleEstablishedPacketToClient (tv=0x82e14bc4, tv@entry=0x80d8e0600, ssn=0x0, ssn@entry=0x8338d5d80, p=0x0, p@entry=0x838c33200, stt=0xe50a5969d84bc43d, stt@entry=0x832d60000) at stream-tcp.c:2811 zerowindowprobe = has_ack = #13 0x0000000000b7aa4d in StreamTcpPacketStateEstablished (tv=0x80d8e0600, p=0x838c33200, stt=0x832d60000, ssn=0x8338d5d80) at stream-tcp.c:3223 No locals. #14 StreamTcpStateDispatch (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, ssn=ssn@entry=0x8338d5d80, state=) at stream-tcp.c:5236 No locals. #15 0x0000000000b766c0 in StreamTcpPacket (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, pq=) at stream-tcp.c:5433 is_zwp_ack = true ret = ssn = 0x8338d5d80 #16 0x0000000000b82781 in StreamTcp (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, data=0x832d60000, pq=pq@entry=0x832d18030) at stream-tcp.c:5745 stt = 0x832d60000 #17 0x0000000000d53774 in FlowWorkerStreamTCPUpdate (tv=0x1, tv@entry=0x80d8e0600, fw=fw@entry=0x832d18000, p=p@entry=0x838c33200, detect_thread=detect_thread@entry=0x8338d7000, timeout=false) at flow-worker.c:391 --Type for more, q to quit, c to continue without paging-- x = #18 0x0000000000d52f4a in FlowWorker (tv=0x80d8e0600, p=0x838c33200, data=0x832d18000) at flow-worker.c:607 fw = 0x832d18000 detect_thread = 0x8338d7000 #19 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0600, p=0x838c33200, slot=0x8066db440) at tm-threads.c:135 s = 0x8066db440 #20 TmThreadsSlotVar (td=0x80d8e0600) at tm-threads.c:471 tv = 0x80d8e0600 s = 0x8066db440 p = 0x838c33200 run = r = #21 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #22 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf3f8000 (gdb) info threads Id Target Id Frame 1 LWP 101548 of process 2511 "Suricata-Main" 0x00000008029806ea in _nanosleep () from /lib/libc.so.7 2 LWP 179039 of process 2511 "IM#01" 0x00000008029807ea in _read () from /lib/libc.so.7 3 LWP 187421 of process 2511 "RX#01-vmx2" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 4 LWP 187434 of process 2511 "W#01" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 5 LWP 187484 of process 2511 "W#02" 0x0000000802980a0a in _write () from /lib/libc.so.7 6 LWP 187485 of process 2511 "W#03" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 7 LWP 187486 of process 2511 "W#04" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 * 8 LWP 187487 of process 2511 "W#05" 0x00000008029a4454 in exit () from /lib/libc.so.7 9 LWP 187510 of process 2511 "W#06" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 10 LWP 187550 of process 2511 "W#07" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 11 LWP 187551 of process 2511 "W#08" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 12 LWP 187552 of process 2511 "FM#01" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 13 LWP 187553 of process 2511 "FR#01" 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 (gdb) thread apply all bt Thread 13 (LWP 187553 of process 2511 "FR#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 #3 0x0000000000c27d82 in FlowRecycler (th_v=0x80d8e0b00, thread_data=0x838a01000) at flow-manager.c:1103 #4 0x0000000000e344b8 in TmThreadsManagement (td=0x80d8e0b00) at tm-threads.c:557 #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #6 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffde9f3000 Thread 12 (LWP 187552 of process 2511 "FM#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x0000000000c28180 in FlowManagerHashRowTimeout (f=0x806630e80, td=, ts=..., emergency=, counters=, next_ts=) at flow-manager.c:337 #5 FlowTimeoutHash (td=td@entry=0x838201030, ts=ts@entry=..., hash_min=26192, hash_max=45852, counters=counters@entry=0x7fffdebf3f00) at flow-manager.c:437 #6 0x0000000000c2732c in FlowTimeoutHashInChunks (td=0x838201030, ts=..., hash_min=0, hash_max=65536, counters=0x7fffdebf3f00, rows=19660, pos=) at flow-manager.c:499 #7 FlowManager (th_v=0x80d8e0a00, thread_data=0x838201000) at flow-manager.c:829 #8 0x0000000000e344b8 in TmThreadsManagement (td=0x80d8e0a00) at tm-threads.c:557 #9 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #10 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdebf4000 Thread 11 (LWP 187551 of process 2511 "W#08"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdedf3b70 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- flow 0x806619140 det_ctx->varlist 0x0\033[0m") at util-debug.c:168 #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x6d84dd "./detect-flowvar.h", line=line@entry=52, function=function@entry=0x6eb21c "DetectVarProcessList", module=module@entry=0x6ca1c2 "detect", message=message@entry=0x7fffdedf4490 "flow 0x806619140 det_ctx->varlist 0x0") at util-debug.c:687 #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x6d84dd "./detect-flowvar.h", func=0x6eb21c "DetectVarProcessList", line=line@entry=52, module=0x6ca1c2 "detect", fmt=0x7480a3 "flow %p det_ctx->varlist %p") at util-debug.c:742 #10 0x0000000000c3a89c in DetectVarProcessList (det_ctx=0x837acb000, f=0x806619140, p=0x8393c2c00) at ./detect-flowvar.h:52 #11 DetectRulePacketRules (tv=0x80d8e0900, de_ctx=0x8066cf000, det_ctx=0x837acb000, p=0x8393c2c00, pflow=0x806619140, scratch=0x7fffdedf4db0) at detect.c:807 #12 DetectRun (th_v=0x80d8e0900, de_ctx=0x8066cf000, det_ctx=0x837acb000, p=0x8393c2c00) at detect.c:143 #13 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0900, p=p@entry=0x8393c2c00, data=data@entry=0x837acb000) at detect.c:1793 #14 0x0000000000d52fff in FlowWorker (tv=0x80d8e0900, p=0x8393c2c00, data=0x836f18000) at flow-worker.c:626 #15 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0900, p=0x8393c2c00, slot=0x8066db740) at tm-threads.c:135 #16 TmThreadsSlotVar (td=0x80d8e0900) at tm-threads.c:471 #17 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 --Type for more, q to quit, c to continue without paging-- #18 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdedf5000 Thread 10 (LWP 187550 of process 2511 "W#07"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdeff4b70 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- inspecting signature id 2200042\033[0m") at util-debug.c:168 #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x6b37c2 "detect.c", line=line@entry=765, function=function@entry=0x6b9508 "DetectRulePacketRules", module=module@entry=0x6ca1c2 "detect", message=message@entry=0x7fffdeff5490 "inspecting signature id 2200042") at util-debug.c:687 #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x6b37c2 "detect.c", func=0x6b9508 "DetectRulePacketRules", line=line@entry=765, module=0x6ca1c2 "detect", fmt=0x6caf18 "inspecting signature id %u") at util-debug.c:742 #10 0x0000000000c3a670 in DetectRulePacketRules (tv=0x80d8e0800, de_ctx=0x8066cf000, det_ctx=0x8364d2000, p=0x82cb05e00, pflow=0x806640b00, scratch=0x7fffdeff5db0) at detect.c:765 #11 DetectRun (th_v=0x80d8e0800, de_ctx=0x8066cf000, det_ctx=0x8364d2000, p=0x82cb05e00) at detect.c:143 #12 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0800, p=p@entry=0x82cb05e00, data=data@entry=0x8364d2000) at detect.c:1793 #13 0x0000000000d52fff in FlowWorker (tv=0x80d8e0800, p=0x82cb05e00, data=0x835918000) at flow-worker.c:626 #14 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0800, p=0x82cb05e00, slot=0x8066db640) at tm-threads.c:135 #15 TmThreadsSlotVar (td=0x80d8e0800) at tm-threads.c:471 #16 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #17 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdeff6000 Thread 9 (LWP 187510 of process 2511 "W#06"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 #3 0x0000000000e2e6b9 in TmqhInputFlow (tv=) at tmqh-flow.c:109 #4 0x0000000000e33ad3 in TmThreadsSlotVar (td=0x80d8e0700) at tm-threads.c:456 #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #6 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf1f7000 Thread 8 (LWP 187487 of process 2511 "W#05"): #0 0x00000008029a4454 in exit () from /lib/libc.so.7 #1 0x0000000000e9bbb9 in HSScan (ctx=, thread_ctx=, haystack=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", haystack_len=) at util-spm-hs.c:156 #2 0x0000000000c8319e in AppLayerProtoDetectPMMatchSignature (s=0x80322d4e0, tctx=0x832d22080, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, flags=, searchlen=, rflow=) at app-layer-detect-proto.c:215 #3 PMGetProtoInspect (tctx=0x832d22080, pm_ctx=0x1f12c80 , mpm_tctx=, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=buflen@entry=95, flags=5 '\005', pm_results=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:296 #4 0x0000000000c795c8 in AppLayerProtoDetectPMGetProto (tctx=, f=f@entry=0x806648a80, buf=, buflen=buflen@entry=95, flags=flags@entry=5 '\005', pm_results=pm_results@entry=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:344 #5 0x0000000000c78731 in AppLayerProtoDetectGetProto (tctx=, f=f@entry=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.ic--Type for more, q to quit, c to continue without paging-- rc.trendmicro.com:443\r\n\r\n", buflen=95, ipproto=ipproto@entry=6 '\006', flags=flags@entry=5 '\005', reverse_flow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:1433 #6 0x0000000000c69296 in TCPProtoDetect (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, app_tctx=app_tctx@entry=0x832d21100, p=p@entry=0x838c33200, f=f@entry=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:371 #7 0x0000000000c68c6d in AppLayerHandleTCPData (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, p=p@entry=0x838c33200, f=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:709 #8 0x0000000000b62905 in ReassembleUpdateAppLayer (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x7fffdf3f7c68, p=0x838c33200, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1328 #9 StreamTcpReassembleAppLayer (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x8338d5e20, p=p@entry=0x838c33200, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1391 #10 0x0000000000b64879 in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5e20, p=0x838c33200) at stream-tcp-reassemble.c:1949 #11 StreamTcpReassembleHandleSegment (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5d90, p=0x838c33200) at stream-tcp-reassemble.c:1997 #12 0x0000000000b9c789 in HandleEstablishedPacketToClient (tv=0x82e14bc4, tv@entry=0x80d8e0600, ssn=0x0, ssn@entry=0x8338d5d80, p=0x0, p@entry=0x838c33200, stt=0xe50a5969d84bc43d, stt@entry=0x832d60000) at stream-tcp.c:2811 #13 0x0000000000b7aa4d in StreamTcpPacketStateEstablished (tv=0x80d8e0600, p=0x838c33200, stt=0x832d60000, ssn=0x8338d5d80) at stream-tcp.c:3223 #14 StreamTcpStateDispatch (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, ssn=ssn@entry=0x8338d5d80, state=) at stream-tcp.c:5236 #15 0x0000000000b766c0 in StreamTcpPacket (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, pq=) at stream-tcp.c:5433 #16 0x0000000000b82781 in StreamTcp (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, data=0x832d60000, pq=pq@entry=0x832d18030) at stream-tcp.c:5745 #17 0x0000000000d53774 in FlowWorkerStreamTCPUpdate (tv=0x1, tv@entry=0x80d8e0600, fw=fw@entry=0x832d18000, p=p@entry=0x838c33200, detect_thread=detect_thread@entry=0x8338d7000, timeout=false) at flow-worker.c:391 #18 0x0000000000d52f4a in FlowWorker (tv=0x80d8e0600, p=0x838c33200, data=0x832d18000) at flow-worker.c:607 #19 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0600, p=0x838c33200, slot=0x8066db440) at tm-threads.c:135 #20 TmThreadsSlotVar (td=0x80d8e0600) at tm-threads.c:471 #21 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #22 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf3f8000 Thread 7 (LWP 187486 of process 2511 "W#04"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf5f7ad0 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- Returning: 0 ... <<\033[0m") at util-debug.c:168 #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x744ec4 "detect-engine-event.c", line=line@entry=110, function=function@entry=0x71e239 "DetectEngineEventMatch", module=module@entry=0x75a73d "detect-engine-event", message=message@entry=0x7fffdf5f83f0 "Returning: 0 ... <<") at util-debug.c:687 #9 0x0000000000e42966 in SCLog (x=7, file=0x744ec4 "detect-engine-event.c", func=0x71e239 "DetectEngineEventMatch", line=110, module=0x75a73d "detect-engine-event", fmt=0x74ed33 "Returning: %jd ... <<") at util-debug.c:742 #10 0x0000000000dfa023 in DetectEngineEventMatch (det_ctx=, p=, s=, ctx=0x8033d8b80) at detect-engine-event.c:107 #11 0x0000000000b50296 in DetectEngineInspectRulePacketMatches (det_ctx=0x8322d2000, engine=, s=0x806f15440, p=0x838e40400, _alert_flags=) at detect-engine.c:1928 #12 0x0000000000b4fe83 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0500, det_ctx=det_ctx@entry=0x8322d2000, s=s@entry=0x806f15440, f=f@entry=0x806638e00, p=p@entry=0x838e40400, alert_flags=alert_flags@entry=0x7fffdf5f8dd0 "") at detect-engine.c:1993 #13 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0500, de_ctx=0x8066cf000, det_ctx=0x8322d2000, p=0x838e40400, pflow=0x806638e00, scratch=0x7fffdf5f8db0) at detect.c:796 --Type for more, q to quit, c to continue without paging-- #14 DetectRun (th_v=0x80d8e0500, de_ctx=0x8066cf000, det_ctx=0x8322d2000, p=0x838e40400) at detect.c:143 #15 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0500, p=p@entry=0x838e40400, data=data@entry=0x8322d2000) at detect.c:1793 #16 0x0000000000d52fff in FlowWorker (tv=0x80d8e0500, p=0x838e40400, data=0x831718000) at flow-worker.c:626 #17 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0500, p=0x838e40400, slot=0x8066db340) at tm-threads.c:135 #18 TmThreadsSlotVar (td=0x80d8e0500) at tm-threads.c:471 #19 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #20 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf5f9000 Thread 6 (LWP 187485 of process 2511 "W#03"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf7f8b30 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- sid 2200115: e 0x81c95ad00 Callback returned false\033[0m") at util-debug.c:168 #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x72582a "detect-engine.c", line=line@entry=1994, function=function@entry=0x6eff81 "DetectEnginePktInspectionRun", module=module@entry=0x6fb292 "detect-engine", message=message@entry=0x7fffdf7f9450 "sid 2200115: e 0x81c95ad00 Callback returned false") at util-debug.c:687 #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x72582a "detect-engine.c", func=0x6eff81 "DetectEnginePktInspectionRun", line=line@entry=1994, module=0x6fb292 "detect-engine", fmt=0x6bd597 "sid %u: e %p Callback returned false") at util-debug.c:742 #10 0x0000000000b4ff29 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0400, det_ctx=det_ctx@entry=0x830cd2000, s=s@entry=0x806f2ea40, f=f@entry=0x80664f880, p=p@entry=0x82cccf000, alert_flags=alert_flags@entry=0x7fffdf7f9dd0 "") at detect-engine.c:1994 #11 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0400, de_ctx=0x8066cf000, det_ctx=0x830cd2000, p=0x82cccf000, pflow=0x80664f880, scratch=0x7fffdf7f9db0) at detect.c:796 #12 DetectRun (th_v=0x80d8e0400, de_ctx=0x8066cf000, det_ctx=0x830cd2000, p=0x82cccf000) at detect.c:143 #13 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0400, p=p@entry=0x82cccf000, data=data@entry=0x830cd2000) at detect.c:1793 #14 0x0000000000d52fff in FlowWorker (tv=0x80d8e0400, p=0x82cccf000, data=0x830118000) at flow-worker.c:626 #15 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0400, p=0x82cccf000, slot=0x8066db240) at tm-threads.c:135 #16 TmThreadsSlotVar (td=0x80d8e0400) at tm-threads.c:471 #17 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #18 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf7fa000 Thread 5 (LWP 187484 of process 2511 "W#02"): #0 0x0000000802980a0a in _write () from /lib/libc.so.7 #1 0x0000000802963f97 in ?? () from /lib/libc.so.7 #2 0x000000080295c14e in fflush_unlocked () from /lib/libc.so.7 #3 0x000000080295f550 in ?? () from /lib/libc.so.7 #4 0x00000008029681e7 in ?? () from /lib/libc.so.7 #5 0x0000000802964e1e in vfprintf_l () from /lib/libc.so.7 #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf9f9b00 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- no match\033[0m") at util-debug.c:168 #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x72582a "detect-engine.c", line=line@entry=1930, function=function@entry=0x725895 "DetectEngineInspectRulePacketMatches", module=module@entry=0x6fb292 "detect-engine", message=message@entry=0x7fffdf9fa420 "no match") at util-debug.c:687 #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x72582a "detect-engine.c", func=0x725895 "DetectEngineInspectRulePacketMatches", line=line@entry=1930, module=0x6fb292 "detect-engine", fmt=0x72ccee "no match") at util-debug.c:742 --Type for more, q to quit, c to continue without paging-- #10 0x0000000000b502f2 in DetectEngineInspectRulePacketMatches (det_ctx=0x82f6d2000, engine=, s=0x806f13140, p=0x82ca40a00, _alert_flags=) at detect-engine.c:1930 #11 0x0000000000b4fe83 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0300, det_ctx=det_ctx@entry=0x82f6d2000, s=s@entry=0x806f13140, f=f@entry=0x806630e80, p=p@entry=0x82ca40a00, alert_flags=alert_flags@entry=0x7fffdf9fadd0 "") at detect-engine.c:1993 #12 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0300, de_ctx=0x8066cf000, det_ctx=0x82f6d2000, p=0x82ca40a00, pflow=0x806630e80, scratch=0x7fffdf9fadb0) at detect.c:796 #13 DetectRun (th_v=0x80d8e0300, de_ctx=0x8066cf000, det_ctx=0x82f6d2000, p=0x82ca40a00) at detect.c:143 #14 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0300, p=p@entry=0x82ca40a00, data=data@entry=0x82f6d2000) at detect.c:1793 #15 0x0000000000d52fff in FlowWorker (tv=0x80d8e0300, p=0x82ca40a00, data=0x82eb18000) at flow-worker.c:626 #16 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0300, p=0x82ca40a00, slot=0x8066db140) at tm-threads.c:135 #17 TmThreadsSlotVar (td=0x80d8e0300) at tm-threads.c:471 #18 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #19 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdf9fb000 Thread 4 (LWP 187434 of process 2511 "W#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 #3 0x0000000000e2e6b9 in TmqhInputFlow (tv=) at tmqh-flow.c:109 #4 0x0000000000e33ad3 in TmThreadsSlotVar (td=0x80d8e0200) at tm-threads.c:456 #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #6 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdfbfc000 Thread 3 (LWP 187421 of process 2511 "RX#01-vmx2"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 #5 0x000000080295bddc in fflush () from /lib/libc.so.7 #6 0x0000000000e41b94 in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdfdfba90 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169\033[0m") at util-debug.c:171 #7 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x71493b "decode-ipv4.c", line=line@entry=558, function=function@entry=0x769298 "DecodeIPV4", module=module@entry=0x6fc3d8 "decode-ipv4", message=message@entry=0x7fffdfdfc3b0 "IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169") at util-debug.c:687 #8 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x71493b "decode-ipv4.c", func=0x769298 "DecodeIPV4", line=line@entry=558, module=0x6fc3d8 "decode-ipv4", fmt=0x6f689c "IPV4 %s->%s PROTO: %u OFFSET: %u RF: %u DF: %u MF: %u ID: %u") at util-debug.c:742 #9 0x0000000000be9f20 in DecodeIPV4 (tv=tv@entry=0x80d8e0100, dtv=dtv@entry=0x82cda4000, p=p@entry=0x8397f0c00, pkt=pkt@entry=0x8397f0e5e "E", len=) at decode-ipv4.c:556 #10 0x0000000000bff21e in DecodeNetworkLayer (tv=0x80d8e0100, dtv=0x82cda4000, proto=454, p=0x8397f0c00, data=, len=0) at ./decode.h:1161 #11 DecodeEthernet (tv=tv@entry=0x80d8e0100, dtv=dtv@entry=0x82cda4000, p=p@entry=0x8397f0c00, pkt=, len=) at decode-ethernet.c:61 #12 0x0000000000d54b33 in DecodeLinkLayer (tv=0x80d8e0100, dtv=0x82cda4000, datalink=454, p=0x8397f0c00, data=0x0, len=0) at ./decode.h:1127 #13 DecodePcap (tv=0x80d8e0100, p=0x8397f0c00, data=0x82cda4000) at source-pcap.c:627 #14 0x0000000000e30a06 in TmThreadsSlotVarRun (tv=0x80d8e0100, p=p@entry=0x8397f0c00, slot=) at tm-threads.c:135 #15 0x0000000000d54f47 in TmThreadsSlotProcessPkt (tv=0x80d8e0100, s=0x0, p=0x8397f0c00) at ./tm-threads.h:200 #16 PcapCallbackLoop (user=0x82cd18000 "", h=0x7fffdfdfce98, pkt=) at source-pcap.c:368 #17 0x000000080274eff4 in ?? () from /usr/local/lib/libpcap.so.1 #18 0x0000000000d54217 in ReceivePcapLoop (tv=0x80d8e0100, data=0x82cd18000, slot=) at source-pcap.c:414 #19 0x0000000000e33f9a in TmThreadsSlotPktAcqLoop (td=0x80d8e0100) at tm-threads.c:318 --Type for more, q to quit, c to continue without paging-- #20 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #21 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdfdfd000 Thread 2 (LWP 179039 of process 2511 "IM#01"): #0 0x00000008029807ea in _read () from /lib/libc.so.7 #1 0x00000008021f4a13 in ?? () from /lib/libthr.so.3 #2 0x0000000000d0198d in AlertPfMonitorIfaceChanges (args=0x803394ef0) at alert-pf.c:1058 #3 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 #4 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdfffe000 Thread 1 (LWP 101548 of process 2511 "Suricata-Main"): #0 0x00000008029806ea in _nanosleep () from /lib/libc.so.7 #1 0x00000008021f482c in ?? () from /lib/libthr.so.3 #2 0x0000000802904c46 in usleep () from /lib/libc.so.7 #3 0x0000000000b4639a in SuricataMainLoop (suri=) at suricata.c:2840 #4 0x0000000000b45ace in SuricataMain (argc=7, argv=0x7fffffffe938) at suricata.c:3043 #5 0x00000008028d66fa in __libc_start1 () from /lib/libc.so.7 #6 0x0000000000b42220 in _start () at /usr/src/lib/csu/amd64/crt1_s.S:83 (gdb) (gdb) thread apply all bt full Thread 13 (LWP 187553 of process 2511 "FR#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x0000000000c27d82 in FlowRecycler (th_v=0x80d8e0b00, thread_data=0x838a01000) at flow-manager.c:1103 rc = cond_tv = {tv_sec = 1702661261, tv_usec = 146874} cond_time = {tv_sec = 1702661261, tv_nsec = 146874000} list = {top = 0x0, bot = 0x0, len = 0} bail = 0 cnt = f = emerg = ret_queue = {top = 0x0, bot = 0x0, len = 0} ftd = 0x838a01000 recycled_cnt = 23 time_is_live = #4 0x0000000000e344b8 in TmThreadsManagement (td=0x80d8e0b00) at tm-threads.c:557 tv = 0x80d8e0b00 s = 0x8066db940 r = #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #6 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffde9f3000 Thread 12 (LWP 187552 of process 2511 "FM#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x0000000000c28180 in FlowManagerHashRowTimeout (f=0x806630e80, td=, ts=..., emergency=, counters=, next_ts=) at flow-manager.c:337 next_flow = prev_f = 0x0 checked = 0 next_flow = #5 FlowTimeoutHash (td=td@entry=0x838201030, ts=ts@entry=..., hash_min=26192, hash_max=45852, counters=counters@entry=0x7fffdebf3f00) at flow-manager.c:437 next_ts = --Type for more, q to quit, c to continue without paging-- evicted = fb = 0x806cf8980 i = 41 check_bits = check = 64 idx = 34064 cnt = 1 emergency = rows_skipped = 104 rows_empty = 0 rows_checked = 19660 ts_secs = 1702661259 #6 0x0000000000c2732c in FlowTimeoutHashInChunks (td=0x838201030, ts=..., hash_min=0, hash_max=65536, counters=0x7fffdebf3f00, rows=19660, pos=) at flow-manager.c:499 start = 0 end = 0 rows_left = 454 cnt = #7 FlowManager (th_v=0x80d8e0a00, thread_data=0x838201000) at flow-manager.c:829 ppos = 26192 counters = {rows_checked = 0, rows_skipped = 0, rows_empty = 0, rows_maxlen = 1, flows_checked = 1, flows_notimeout = 0, flows_timeout = 1, flows_removed = 0, flows_aside = 1, flows_aside_needs_work = 0, bypassed_count = 0, bypassed_pkts = 0, bypassed_bytes = 0} spare_pool_len = pmp = ts_ms = 1702661259920 emerg = false emerge_p = ftd = 0x838201000 rows = 65536 emerg_over_cnt = 0 next_run_ms = pos = 26192 rows_sec = rows_per_wu = 19660 sleep_per_wu = prev_emerg = other_last_sec = 1702661258 mp = 30 ts = {secs = 1702661259, usecs = 920910} time_is_live = #8 0x0000000000e344b8 in TmThreadsManagement (td=0x80d8e0a00) at tm-threads.c:557 tv = 0x80d8e0a00 s = 0x8066db880 r = #9 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #10 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdebf4000 --Type for more, q to quit, c to continue without paging-- Thread 11 (LWP 187551 of process 2511 "W#08"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 No symbol table info available. #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 No symbol table info available. #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 No symbol table info available. #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdedf3b70 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- flow 0x806619140 det_ctx->varlist 0x0\033[0m") at util-debug.c:168 No locals. #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x6d84dd "./detect-flowvar.h", line=line@entry=52, function=function@entry=0x6eb21c "DetectVarProcessList", module=module@entry=0x6ca1c2 "detect", message=message@entry=0x7fffdedf4490 "flow 0x806619140 det_ctx->varlist 0x0") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- flow 0x806619140 det_ctx->varlist 0x0\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 151122} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 151122} #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x6d84dd "./detect-flowvar.h", func=0x6eb21c "DetectVarProcessList", line=line@entry=52, module=0x6ca1c2 "detect", fmt=0x7480a3 "flow %p det_ctx->varlist %p") at util-debug.c:742 msg = "flow 0x806619140 det_ctx->varlist 0x0\0005000/128)", '\000' , "=\304K\330iY\n\345"... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdedf4ce0, reg_save_area = 0x7fffdedf43b0}} #10 0x0000000000c3a89c in DetectVarProcessList (det_ctx=0x837acb000, f=0x806619140, p=0x8393c2c00) at ./detect-flowvar.h:52 fs = 0x0 #11 DetectRulePacketRules (tv=0x80d8e0900, de_ctx=0x8066cf000, det_ctx=0x837acb000, p=0x8393c2c00, pflow=0x806619140, scratch=0x7fffdedf4db0) at detect.c:807 alert_flags = s_proto_flags = s = next_s = 0x806f17740 match_cnt = match_array = 0x837b00ce0 next_sflags = 1572879 sflags = #12 DetectRun (th_v=0x80d8e0900, de_ctx=0x8066cf000, det_ctx=0x837acb000, p=0x8393c2c00) at detect.c:143 scratch = {alproto = 34, flow_flags = 4 '\004', app_decoder_events = false, sgh = 0x81bb6f2e0, pkt_mask = 3 '\003'} pflow = 0x806619140 #13 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0900, p=p@entry=0x8393c2c00, data=data@entry=0x837acb000) at detect.c:1793 de_ctx = 0x8066cf000 det_ctx = 0x837acb000 #14 0x0000000000d52fff in FlowWorker (tv=0x80d8e0900, p=0x8393c2c00, data=0x836f18000) at flow-worker.c:626 fw = 0x836f18000 --Type for more, q to quit, c to continue without paging-- detect_thread = 0x837acb000 #15 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0900, p=0x8393c2c00, slot=0x8066db740) at tm-threads.c:135 s = 0x8066db740 #16 TmThreadsSlotVar (td=0x80d8e0900) at tm-threads.c:471 tv = 0x80d8e0900 s = 0x8066db740 p = 0x8393c2c00 run = r = #17 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #18 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdedf5000 Thread 10 (LWP 187550 of process 2511 "W#07"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 No symbol table info available. #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 No symbol table info available. #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 No symbol table info available. #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdeff4b70 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- inspecting signature id 2200042\033[0m") at util-debug.c:168 No locals. #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x6b37c2 "detect.c", line=line@entry=765, function=function@entry=0x6b9508 "DetectRulePacketRules", module=module@entry=0x6ca1c2 "detect", message=message@entry=0x7fffdeff5490 "inspecting signature id 2200042") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- inspecting signature id 2200042\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 151114} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 151114} #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x6b37c2 "detect.c", func=0x6b9508 "DetectRulePacketRules", line=line@entry=765, module=0x6ca1c2 "detect", fmt=0x6caf18 "inspecting signature id %u") at util-debug.c:742 msg = "inspecting signature id 2200042\000t 0x0\0005000/128)", '\000' , "=\304K\330iY\n\345"... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdeff5cd8, reg_save_area = 0x7fffdeff53b0}} #10 0x0000000000c3a670 in DetectRulePacketRules (tv=0x80d8e0800, de_ctx=0x8066cf000, det_ctx=0x8364d2000, p=0x82cb05e00, pflow=0x806640b00, scratch=0x7fffdeff5db0) at detect.c:765 alert_flags = 0 '\000' s_proto_flags = 1 '\001' s = 0x806f15940 next_s = 0x806f15a80 --Type for more, q to quit, c to continue without paging-- match_cnt = match_array = 0x836500c00 next_sflags = 1572879 sflags = 1572879 #11 DetectRun (th_v=0x80d8e0800, de_ctx=0x8066cf000, det_ctx=0x8364d2000, p=0x82cb05e00) at detect.c:143 scratch = {alproto = 34, flow_flags = 4 '\004', app_decoder_events = false, sgh = 0x81bb6f2e0, pkt_mask = 3 '\003'} pflow = 0x806640b00 #12 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0800, p=p@entry=0x82cb05e00, data=data@entry=0x8364d2000) at detect.c:1793 de_ctx = 0x8066cf000 det_ctx = 0x8364d2000 #13 0x0000000000d52fff in FlowWorker (tv=0x80d8e0800, p=0x82cb05e00, data=0x835918000) at flow-worker.c:626 fw = 0x835918000 detect_thread = 0x8364d2000 #14 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0800, p=0x82cb05e00, slot=0x8066db640) at tm-threads.c:135 s = 0x8066db640 #15 TmThreadsSlotVar (td=0x80d8e0800) at tm-threads.c:471 tv = 0x80d8e0800 s = 0x8066db640 p = 0x82cb05e00 run = r = #16 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #17 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdeff6000 Thread 9 (LWP 187510 of process 2511 "W#06"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x0000000000e2e6b9 in TmqhInputFlow (tv=) at tmqh-flow.c:109 q = 0x81b78b470 #4 0x0000000000e33ad3 in TmThreadsSlotVar (td=0x80d8e0700) at tm-threads.c:456 tv = 0x80d8e0700 s = 0x8066db540 p = run = r = #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #6 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf1f7000 --Type for more, q to quit, c to continue without paging-- Thread 8 (LWP 187487 of process 2511 "W#05"): #0 0x00000008029a4454 in exit () from /lib/libc.so.7 No symbol table info available. #1 0x0000000000e9bbb9 in HSScan (ctx=, thread_ctx=, haystack=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", haystack_len=) at util-spm-hs.c:156 sctx = 0x80326fe00 scratch = match_offset = 18446744073709551615 err = #2 0x0000000000c8319e in AppLayerProtoDetectPMMatchSignature (s=0x80322d4e0, tctx=0x832d22080, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, flags=, searchlen=, rflow=) at app-layer-detect-proto.c:215 sbuf = 0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n" ssearchlen = 56415 found = direction = rdir = r = #3 PMGetProtoInspect (tctx=0x832d22080, pm_ctx=0x1f12c80 , mpm_tctx=, f=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=buflen@entry=95, flags=5 '\005', pm_results=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:296 proto = s = 0x80322d4e0 cnt = 0 pm_results_bf = "\000\000\000\000" pm_matches = 0 searchlen = 17 search_cnt = #4 0x0000000000c795c8 in AppLayerProtoDetectPMGetProto (tctx=, f=f@entry=0x806648a80, buf=, buflen=buflen@entry=95, flags=flags@entry=5 '\005', pm_results=pm_results@entry=0x7fffdf3f7a00, rflow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:344 m = -1 pm_ctx = 0x0 mpm_tctx = 0x0 #5 0x0000000000c78731 in AppLayerProtoDetectGetProto (tctx=, f=f@entry=0x806648a80, buf=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", buflen=95, ipproto=ipproto@entry=6 '\006', flags=flags@entry=5 '\005', reverse_flow=0x7fffdf3f7b0f) at app-layer-detect-proto.c:1433 pm_results = {0, 0, 0, 0, 62, 0, 0, 0, 23040, 497, 0, 0, 608, 0, 0, 0, 31376, 57151, 32767, 0, 37027, 612, 8, 0, 63098, 14529, 8, 0, 608, 0, 0, 0, 49856, 14529, 8, 0} pm_matches = alproto = 0 pm_alproto = 0 #6 0x0000000000c69296 in TCPProtoDetect (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, app_tctx=app_tctx@entry=0x832d21100, p=p@entry=0x838c33200, f=f@entry=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:371 direction = 0 '\000' alproto = 0x806648b0c alproto_otherdir = 0x806648b0e reverse_flow = false #7 0x0000000000c68c6d in AppLayerHandleTCPData (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, p=p@entry=0x838c33200, f=0x806648a80, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x7fffdf3f7c68, data=0x8338f7800 "CONNECT wfbssvc65.icrc.trendmicro.com:443 HTTP/1.1\r\nHost: wfbssvc65.icrc.trendmicro.com:443\r\n\r\n", data_len=95, flags=5 '\005', dir=UPDATE_DIR_OPPOSING) at app-layer.c:709 app_tctx = 0x832d21100 --Type for more, q to quit, c to continue without paging-- r = 0 direction = 0 '\000' alproto = failure = #8 0x0000000000b62905 in ReassembleUpdateAppLayer (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x7fffdf3f7c68, p=0x838c33200, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1328 flags = gap_ahead = new_app_progress = app_progress = 0 last_ack_abs = last_was_gap = false mydata = mydata_len = 3628844093 flags = gap_ahead = new_app_progress = check_for_gap_ahead = r = no_progress_update = #9 StreamTcpReassembleAppLayer (tv=tv@entry=0x80d8e0600, ra_ctx=ra_ctx@entry=0x832a00020, ssn=ssn@entry=0x8338d5d80, stream=stream@entry=0x8338d5e20, p=p@entry=0x838c33200, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1391 No locals. #10 0x0000000000b64879 in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5e20, p=0x838c33200) at stream-tcp-reassemble.c:1949 No locals. #11 StreamTcpReassembleHandleSegment (tv=0x80d8e0600, ra_ctx=0x832a00020, ssn=0x8338d5d80, stream=0x8338d5d90, p=0x838c33200) at stream-tcp-reassemble.c:1997 opposing_stream = 0x8338d5e20 reversed_before_ack_handling = reversed_after_ack_handling = dir = #12 0x0000000000b9c789 in HandleEstablishedPacketToClient (tv=0x82e14bc4, tv@entry=0x80d8e0600, ssn=0x0, ssn@entry=0x8338d5d80, p=0x0, p@entry=0x838c33200, stt=0xe50a5969d84bc43d, stt@entry=0x832d60000) at stream-tcp.c:2811 zerowindowprobe = has_ack = #13 0x0000000000b7aa4d in StreamTcpPacketStateEstablished (tv=0x80d8e0600, p=0x838c33200, stt=0x832d60000, ssn=0x8338d5d80) at stream-tcp.c:3223 No locals. #14 StreamTcpStateDispatch (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, ssn=ssn@entry=0x8338d5d80, state=) at stream-tcp.c:5236 No locals. #15 0x0000000000b766c0 in StreamTcpPacket (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, stt=stt@entry=0x832d60000, pq=) at stream-tcp.c:5433 is_zwp_ack = true ret = ssn = 0x8338d5d80 #16 0x0000000000b82781 in StreamTcp (tv=tv@entry=0x80d8e0600, p=p@entry=0x838c33200, data=0x832d60000, pq=pq@entry=0x832d18030) at stream-tcp.c:5745 stt = 0x832d60000 #17 0x0000000000d53774 in FlowWorkerStreamTCPUpdate (tv=0x1, tv@entry=0x80d8e0600, fw=fw@entry=0x832d18000, p=p@entry=0x838c33200, detect_thread=detect_thread@entry=0x8338d7000, timeout=false) at flow-worker.c:391 x = #18 0x0000000000d52f4a in FlowWorker (tv=0x80d8e0600, p=0x838c33200, data=0x832d18000) at flow-worker.c:607 --Type for more, q to quit, c to continue without paging-- fw = 0x832d18000 detect_thread = 0x8338d7000 #19 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0600, p=0x838c33200, slot=0x8066db440) at tm-threads.c:135 s = 0x8066db440 #20 TmThreadsSlotVar (td=0x80d8e0600) at tm-threads.c:471 tv = 0x80d8e0600 s = 0x8066db440 p = 0x838c33200 run = r = #21 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #22 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf3f8000 Thread 7 (LWP 187486 of process 2511 "W#04"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 No symbol table info available. #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 No symbol table info available. #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 No symbol table info available. #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf5f7ad0 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- Returning: 0 ... <<\033[0m") at util-debug.c:168 No locals. #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x744ec4 "detect-engine-event.c", line=line@entry=110, function=function@entry=0x71e239 "DetectEngineEventMatch", module=module@entry=0x75a73d "detect-engine-event", message=message@entry=0x7fffdf5f83f0 "Returning: 0 ... <<") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- Returning: 0 ... <<\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 151100} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 151100} #9 0x0000000000e42966 in SCLog (x=7, file=0x744ec4 "detect-engine-event.c", func=0x71e239 "DetectEngineEventMatch", line=110, module=0x75a73d "detect-engine-event", fmt=0x74ed33 "Returning: %jd ... <<") at util-debug.c:742 msg = "Returning: 0 ... <<\0000\000\000\000h\214_\337\377\177\000\000@\203_\337\377\177\000\000\000\000\000\000\000\000\000\000running match functions, sm 0x809dc2650\000\240\214_\337\377\177\000\000\200\203_\337\377\177\000\000036: e 0Entering ... >>\0000\000\000\0000\000\000\000،_\337\377\177\000\000\260\203_\337\377\177\000\00000 cnt 2inspecting signature id 2200037\000t 0x0\000e400"... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdf5f8c38, reg_save_area = 0x7fffdf5f8310}} #10 0x0000000000dfa023 in DetectEngineEventMatch (det_ctx=, p=, s=, ctx=0x8033d8b80) at detect-engine-event.c:107 de = 0x8033d8b80 --Type for more, q to quit, c to continue without paging-- #11 0x0000000000b50296 in DetectEngineInspectRulePacketMatches (det_ctx=0x8322d2000, engine=, s=0x806f15440, p=0x838e40400, _alert_flags=) at detect-engine.c:1928 smd = 0x809dc2650 #12 0x0000000000b4fe83 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0500, det_ctx=det_ctx@entry=0x8322d2000, s=s@entry=0x806f15440, f=f@entry=0x806638e00, p=p@entry=0x838e40400, alert_flags=alert_flags@entry=0x7fffdf5f8dd0 "") at detect-engine.c:1993 e = 0x81c95a0d0 #13 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0500, de_ctx=0x8066cf000, det_ctx=0x8322d2000, p=0x838e40400, pflow=0x806638e00, scratch=0x7fffdf5f8db0) at detect.c:796 alert_flags = 0 '\000' s_proto_flags = 1 '\001' s = 0x806f15440 next_s = 0x806f15580 match_cnt = match_array = 0x832300be8 next_sflags = 1572879 sflags = 1572879 #14 DetectRun (th_v=0x80d8e0500, de_ctx=0x8066cf000, det_ctx=0x8322d2000, p=0x838e40400) at detect.c:143 scratch = {alproto = 0, flow_flags = 4 '\004', app_decoder_events = false, sgh = 0x81b7bf8a0, pkt_mask = 18 '\022'} pflow = 0x806638e00 #15 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0500, p=p@entry=0x838e40400, data=data@entry=0x8322d2000) at detect.c:1793 de_ctx = 0x8066cf000 det_ctx = 0x8322d2000 #16 0x0000000000d52fff in FlowWorker (tv=0x80d8e0500, p=0x838e40400, data=0x831718000) at flow-worker.c:626 fw = 0x831718000 detect_thread = 0x8322d2000 #17 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0500, p=0x838e40400, slot=0x8066db340) at tm-threads.c:135 s = 0x8066db340 #18 TmThreadsSlotVar (td=0x80d8e0500) at tm-threads.c:471 tv = 0x80d8e0500 s = 0x8066db340 p = 0x838e40400 run = r = #19 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #20 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf5f9000 Thread 6 (LWP 187485 of process 2511 "W#03"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 --Type for more, q to quit, c to continue without paging-- No symbol table info available. #5 0x0000000802964dcb in vfprintf_l () from /lib/libc.so.7 No symbol table info available. #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 No symbol table info available. #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf7f8b30 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- sid 2200115: e 0x81c95ad00 Callback returned false\033[0m") at util-debug.c:168 No locals. #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x72582a "detect-engine.c", line=line@entry=1994, function=function@entry=0x6eff81 "DetectEnginePktInspectionRun", module=module@entry=0x6fb292 "detect-engine", message=message@entry=0x7fffdf7f9450 "sid 2200115: e 0x81c95ad00 Callback returned false") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- sid 2200115: e 0x81c95ad00 Callback returned false\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 151071} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 151071} #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x72582a "detect-engine.c", func=0x6eff81 "DetectEnginePktInspectionRun", line=line@entry=1994, module=0x6fb292 "detect-engine", fmt=0x6bd597 "sid %u: e %p Callback returned false") at util-debug.c:742 msg = "sid 2200115: e 0x81c95ad00 Callback returned false\000\337\377\177\000\000 has no inspecting signature id 2200115\000t 0x0\000FLOWVAR flag set.", '\000' , "=\304K\330iY\n\345\000\000\000\000\000\000\002\000\001\000\000\000\000\000\000\000\000\000\000"... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdf7f9ca0, reg_save_area = 0x7fffdf7f9370}} #10 0x0000000000b4ff29 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0400, det_ctx=det_ctx@entry=0x830cd2000, s=s@entry=0x806f2ea40, f=f@entry=0x80664f880, p=p@entry=0x82cccf000, alert_flags=alert_flags@entry=0x7fffdf7f9dd0 "") at detect-engine.c:1994 e = 0x81c95ad00 #11 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0400, de_ctx=0x8066cf000, det_ctx=0x830cd2000, p=0x82cccf000, pflow=0x80664f880, scratch=0x7fffdf7f9db0) at detect.c:796 alert_flags = 0 '\000' s_proto_flags = 1 '\001' s = 0x806f2ea40 next_s = 0x806f2eb80 match_cnt = match_array = 0x830d00e38 next_sflags = 1572879 sflags = 1572879 #12 DetectRun (th_v=0x80d8e0400, de_ctx=0x8066cf000, det_ctx=0x830cd2000, p=0x82cccf000) at detect.c:143 scratch = {alproto = 0, flow_flags = 4 '\004', app_decoder_events = false, sgh = 0x81b7bf8a0, pkt_mask = 3 '\003'} pflow = 0x80664f880 #13 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0400, p=p@entry=0x82cccf000, data=data@entry=0x830cd2000) at detect.c:1793 de_ctx = 0x8066cf000 det_ctx = 0x830cd2000 #14 0x0000000000d52fff in FlowWorker (tv=0x80d8e0400, p=0x82cccf000, data=0x830118000) at flow-worker.c:626 fw = 0x830118000 detect_thread = 0x830cd2000 #15 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0400, p=0x82cccf000, slot=0x8066db240) at tm-threads.c:135 s = 0x8066db240 #16 TmThreadsSlotVar (td=0x80d8e0400) at tm-threads.c:471 tv = 0x80d8e0400 s = 0x8066db240 p = 0x82cccf000 run = r = --Type for more, q to quit, c to continue without paging-- #17 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #18 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf7fa000 Thread 5 (LWP 187484 of process 2511 "W#02"): #0 0x0000000802980a0a in _write () from /lib/libc.so.7 No symbol table info available. #1 0x0000000802963f97 in ?? () from /lib/libc.so.7 No symbol table info available. #2 0x000000080295c14e in fflush_unlocked () from /lib/libc.so.7 No symbol table info available. #3 0x000000080295f550 in ?? () from /lib/libc.so.7 No symbol table info available. #4 0x00000008029681e7 in ?? () from /lib/libc.so.7 No symbol table info available. #5 0x0000000802964e1e in vfprintf_l () from /lib/libc.so.7 No symbol table info available. #6 0x000000080295d8df in fprintf () from /lib/libc.so.7 No symbol table info available. #7 0x0000000000e41b7e in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdf9f9b00 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- no match\033[0m") at util-debug.c:168 No locals. #8 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x72582a "detect-engine.c", line=line@entry=1930, function=function@entry=0x725895 "DetectEngineInspectRulePacketMatches", module=module@entry=0x6fb292 "detect-engine", message=message@entry=0x7fffdf9fa420 "no match") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- no match\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 150857} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 150857} #9 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x72582a "detect-engine.c", func=0x725895 "DetectEngineInspectRulePacketMatches", line=line@entry=1930, module=0x6fb292 "detect-engine", fmt=0x72ccee "no match") at util-debug.c:742 msg = "no match\000atch functions, sm 0x809dc2550\000\240\254\237\337\377\177\000\000\200\243\237\337\377\177\000\000019: e 0Entering ... >>\0000\000\000\0000\000\000\000ج\237\337\377\177\000\000\260\243\237\337\377\177\000\00000 cnt 1inspecting signature id 2200020\000t 0x0\0005000/128)", '\000' ... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdf9fac60, reg_save_area = 0x7fffdf9fa340}} #10 0x0000000000b502f2 in DetectEngineInspectRulePacketMatches (det_ctx=0x82f6d2000, engine=, s=0x806f13140, p=0x82ca40a00, _alert_flags=) at detect-engine.c:1930 smd = #11 0x0000000000b4fe83 in DetectEnginePktInspectionRun (tv=tv@entry=0x80d8e0300, det_ctx=det_ctx@entry=0x82f6d2000, s=s@entry=0x806f13140, f=f@entry=0x806630e80, p=p@entry=0x82ca40a00, alert_flags=alert_flags@entry=0x7fffdf9fadd0 "") at detect-engine.c:1993 e = 0x81c959dd0 #12 0x0000000000c3a74c in DetectRulePacketRules (tv=0x80d8e0300, de_ctx=0x8066cf000, det_ctx=0x82f6d2000, p=0x82ca40a00, pflow=0x806630e80, scratch=0x7fffdf9fadb0) at detect.c:796 alert_flags = 0 '\000' s_proto_flags = 1 '\001' s = 0x806f13140 next_s = 0x806f13280 match_cnt = match_array = 0x82f700b68 next_sflags = 1572879 --Type for more, q to quit, c to continue without paging-- sflags = 1572879 #13 DetectRun (th_v=0x80d8e0300, de_ctx=0x8066cf000, det_ctx=0x82f6d2000, p=0x82ca40a00) at detect.c:143 scratch = {alproto = 34, flow_flags = 4 '\004', app_decoder_events = false, sgh = 0x81bb6f2e0, pkt_mask = 3 '\003'} pflow = 0x806630e80 #14 0x0000000000c2db06 in Detect (tv=tv@entry=0x80d8e0300, p=p@entry=0x82ca40a00, data=data@entry=0x82f6d2000) at detect.c:1793 de_ctx = 0x8066cf000 det_ctx = 0x82f6d2000 #15 0x0000000000d52fff in FlowWorker (tv=0x80d8e0300, p=0x82ca40a00, data=0x82eb18000) at flow-worker.c:626 fw = 0x82eb18000 detect_thread = 0x82f6d2000 #16 0x0000000000e33b07 in TmThreadsSlotVarRun (tv=0x80d8e0300, p=0x82ca40a00, slot=0x8066db140) at tm-threads.c:135 s = 0x8066db140 #17 TmThreadsSlotVar (td=0x80d8e0300) at tm-threads.c:471 tv = 0x80d8e0300 s = 0x8066db140 p = 0x82ca40a00 run = r = #18 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #19 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdf9fb000 Thread 4 (LWP 187434 of process 2511 "W#01"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. #1 0x00000008021f6022 in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021e7b9d in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x0000000000e2e6b9 in TmqhInputFlow (tv=) at tmqh-flow.c:109 q = 0x80efe4ae0 #4 0x0000000000e33ad3 in TmThreadsSlotVar (td=0x80d8e0200) at tm-threads.c:456 tv = 0x80d8e0200 s = 0x8066db040 p = run = r = #5 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #6 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdfbfc000 Thread 3 (LWP 187421 of process 2511 "RX#01-vmx2"): #0 0x00000008021e5fdc in ?? () from /lib/libthr.so.3 No symbol table info available. --Type for more, q to quit, c to continue without paging-- #1 0x00000008021f5c5c in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x00000008021ef2ca in ?? () from /lib/libthr.so.3 No symbol table info available. #3 0x00000008021ecfaa in pthread_mutex_lock () from /lib/libthr.so.3 No symbol table info available. #4 0x000000080295b547 in flockfile () from /lib/libc.so.7 No symbol table info available. #5 0x000000080295bddc in fflush () from /lib/libc.so.7 No symbol table info available. #6 0x0000000000e41b94 in SCLogPrintToStream (fd=0x802a1d608, msg=0x7fffdfdfba90 "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169\033[0m") at util-debug.c:171 No locals. #7 SCLogMessage (log_level=log_level@entry=SC_LOG_DEBUG, file=file@entry=0x71493b "decode-ipv4.c", line=line@entry=558, function=function@entry=0x769298 "DecodeIPV4", module=module@entry=0x6fc3d8 "decode-ipv4", message=message@entry=0x7fffdfdfc3b0 "IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169") at util-debug.c:687 buffer = "\033[32m15/12/2023 -- 18:27:40\033[0m - <\033[33mDebug\033[0m> -- IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169\033[0m", '\000' tval = {tv_sec = 1702661260, tv_usec = 151078} op_iface_ctx = 0x80321b4b0 ts = {secs = 1702661260, usecs = 151078} #8 0x0000000000e42966 in SCLog (x=x@entry=7, file=0x71493b "decode-ipv4.c", func=0x769298 "DecodeIPV4", line=line@entry=558, module=0x6fc3d8 "decode-ipv4", fmt=0x6f689c "IPV4 %s->%s PROTO: %u OFFSET: %u RF: %u DF: %u MF: %u ID: %u") at util-debug.c:742 msg = "IPV4 192.168.14.4->192.168.8.209 PROTO: 17 OFFSET: 0 RF: 0 DF: 1 MF: 0 ID: 11169", '\000' , "=\304K\330iY\n\345\370\311m\000\000\000\000\000|0r\000\000\000\000\000\a\000\000\000\000\000\000\000r\214k\000\000\000\000\000k\002\000\000\000\000\000\000\200\315\337\337\377\177\000\000f)\344", '\000' ... ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffdfdfcc30, reg_save_area = 0x7fffdfdfc2d0}} #9 0x0000000000be9f20 in DecodeIPV4 (tv=tv@entry=0x80d8e0100, dtv=dtv@entry=0x82cda4000, p=p@entry=0x8397f0c00, pkt=pkt@entry=0x8397f0e5e "E", len=) at decode-ipv4.c:556 s = "192.168.14.4\000\000\000" d = "192.168.8.209\000\000" #10 0x0000000000bff21e in DecodeNetworkLayer (tv=0x80d8e0100, dtv=0x82cda4000, proto=454, p=0x8397f0c00, data=, len=0) at ./decode.h:1161 ip_len = ip_len = #11 DecodeEthernet (tv=tv@entry=0x80d8e0100, dtv=dtv@entry=0x82cda4000, p=p@entry=0x8397f0c00, pkt=, len=) at decode-ethernet.c:61 No locals. #12 0x0000000000d54b33 in DecodeLinkLayer (tv=0x80d8e0100, dtv=0x82cda4000, datalink=454, p=0x8397f0c00, data=0x0, len=0) at ./decode.h:1127 No locals. #13 DecodePcap (tv=0x80d8e0100, p=0x8397f0c00, data=0x82cda4000) at source-pcap.c:627 dtv = 0x82cda4000 #14 0x0000000000e30a06 in TmThreadsSlotVarRun (tv=0x80d8e0100, p=p@entry=0x8397f0c00, slot=) at tm-threads.c:135 r = s = 0x81442df80 s = r = #15 0x0000000000d54f47 in TmThreadsSlotProcessPkt (tv=0x80d8e0100, s=0x0, p=0x8397f0c00) at ./tm-threads.h:200 r = #16 PcapCallbackLoop (user=0x82cd18000 "", h=0x7fffdfdfce98, pkt=) at source-pcap.c:368 ptv = 0x82cd18000 p = 0x8397f0c00 current_time = --Type for more, q to quit, c to continue without paging-- #17 0x000000080274eff4 in ?? () from /usr/local/lib/libpcap.so.1 No symbol table info available. #18 0x0000000000d54217 in ReceivePcapLoop (tv=0x80d8e0100, data=0x82cd18000, slot=) at source-pcap.c:414 r = packet_q_len = 64 ptv = 0x82cd18000 s = #19 0x0000000000e33f9a in TmThreadsSlotPktAcqLoop (td=0x80d8e0100) at tm-threads.c:318 tv = 0x80d8e0100 s = 0x8032e9b80 run = r = slot = 0x0 #20 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #21 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdfdfd000 Thread 2 (LWP 179039 of process 2511 "IM#01"): #0 0x00000008029807ea in _read () from /lib/libc.so.7 No symbol table info available. #1 0x00000008021f4a13 in ?? () from /lib/libthr.so.3 No symbol table info available. #2 0x0000000000d0198d in AlertPfMonitorIfaceChanges (args=0x803394ef0) at alert-pf.c:1058 msg = '\000' ifname = '\000' addr = {family = 0 '\000', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\000' , address_un_in6 = {__u6_addr = {__u6_addr8 = '\000' , __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}} sock = 6 fib = 0 fib_len = 4 rtm = ifam = len = p = sa = ctx = #3 0x00000008021e8d25 in ?? () from /lib/libthr.so.3 No symbol table info available. #4 0x0000000000000000 in ?? () No symbol table info available. Backtrace stopped: Cannot access memory at address 0x7fffdfffe000 Thread 1 (LWP 101548 of process 2511 "Suricata-Main"): #0 0x00000008029806ea in _nanosleep () from /lib/libc.so.7 No symbol table info available. #1 0x00000008021f482c in ?? () from /lib/libthr.so.3 --Type for more, q to quit, c to continue without paging-- No symbol table info available. #2 0x0000000802904c46 in usleep () from /lib/libc.so.7 No symbol table info available. #3 0x0000000000b4639a in SuricataMainLoop (suri=) at suricata.c:2840 No locals. #4 0x0000000000b45ace in SuricataMain (argc=7, argv=0x7fffffffe938) at suricata.c:3043 tracking = limit_nproc = #5 0x00000008028d66fa in __libc_start1 () from /lib/libc.so.7 No symbol table info available. #6 0x0000000000b42220 in _start () at /usr/src/lib/csu/amd64/crt1_s.S:83 No locals. (gdb)