Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata process dying due to hyperscan problem

    Scheduled Pinned Locked Moved IDS/IPS
    295 Posts 25 Posters 86.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tylereversT
      tylerevers @tylerevers
      last edited by

      @tylerevers said in Suricata process dying due to hyperscan problem:

      @bmeeks said in Suricata process dying due to hyperscan problem:

      My pull request containing the anticipated fix for this Hyperscan error has been merged. An updated Suricata package has built and should appear as an available update for 2.7.2 CE and 23.09.1 Plus users.

      Look for an update to version 7.0.2_2 for the Suricata package. When installed, the new package should pull in version 7.0.2_5 of the Suricata binary.

      Fingers crossed this fixes the Hyperscan issue. But as I mentioned previously, since I could never reproduce the error in my small test environment, I can't say with 100% certainty the bug I found and fixed is the actual Hyperscan culprit.

      Nearly 20 hours since updating to 7.0.2_2 on 23.09.1 Plus with custom bare metal setup and no Hyperscan crash yet. Pattern Match set to AUTO and Blocking Mode ENABLED. Using all VLANs that traverse a LAGG in my case just as a reminder.

      Thanks, Bill!

      At roughly the 28-hour mark, the Suricata Interface failed with the Hyperscan issue again.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8 @bmeeks
        last edited by

        @bmeeks
        i have removed all the rules from an interface but the hyperscan error is still there after a few moments for me.
        +noaslr is still doing nothing
        any chance you can provide the dbg pkg of suricata?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks
          For now and maybe going forward as a perm solution can we just have the package updated to use AC-CS as the default with a note stating to avoid HyperScan for its inconsistent performance or something along those lines.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @kiokoman
            last edited by

            @kiokoman said in Suricata process dying due to hyperscan problem:

            @bmeeks
            i have removed all the rules from an interface but the hyperscan error is still there after a few moments for me.
            +noaslr is still doing nothing
            any chance you can provide the dbg pkg of suricata?

            Not at the moment. I'm trying to reconstruct my package builder for the RELENG_2_7_2 branch of CE (which is the current 2.7.2 release), and that build is failing. Working with the Netgate team on that. Once I get my package builder working again, then I can build a debug package and perhaps share it.

            Nothing else can happen until at least after this coming weekend as I am about to be out of town for a few days.

            kiokomanK 2 Replies Last reply Reply Quote 0
            • bmeeksB
              bmeeks @michmoor
              last edited by

              @michmoor said in Suricata process dying due to hyperscan problem:

              @bmeeks
              For now and maybe going forward as a perm solution can we just have the package updated to use AC-CS as the default with a note stating to avoid HyperScan for its inconsistent performance or something along those lines.

              I don't see the point in changing the default if users can just simply make the change manually and save it.

              And I can't work on this issue anymore until late this Sunday at the earliest as I will be away from all my computing infrastructure until then.

              M 1 Reply Last reply Reply Quote 2
              • M
                Maltz @bmeeks
                last edited by

                @bmeeks said in Suricata process dying due to hyperscan problem:

                I don't see the point in changing the default if users can just simply make the change manually and save it.

                I think changing the default would be tremendously useful for people who have no way of knowing why Suricata is crashing over a month after the pfSense update that seemingly broke it. People who haven't, or don't have to expertise to, spend hours poring over system logs, find the right log entry to google, and make their way to this thread.

                N 1 Reply Last reply Reply Quote 1
                • N
                  NRgia @Maltz
                  last edited by NRgia

                  @Maltz said in Suricata process dying due to hyperscan problem:

                  @bmeeks said in Suricata process dying due to hyperscan problem:

                  I don't see the point in changing the default if users can just simply make the change manually and save it.

                  I think changing the default would be tremendously useful for people who have no way of knowing why Suricata is crashing over a month after the pfSense update that seemingly broke it. People who haven't, or don't have to expertise to, spend hours poring over system logs, find the right log entry to google, and make their way to this thread.

                  I beg to differ, why force everybody to use some settings as workaround, in order to track down an issue? This is not a test branch. As far as I understood from the posts here, this happens only if Suricata is in Legacy Mode. For example I use Suricata in inline mode on WAN and also on LAN with multiple VLANS and I don't encounter this issue. I'm not saying that we should not attempt to fix this, but forcing all of us to use the proposed defaults is bad practice.

                  M 1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8 @bmeeks
                    last edited by

                    @bmeeks said in Suricata process dying due to hyperscan problem:

                    @kiokoman said in Suricata process dying due to hyperscan problem:

                    @bmeeks
                    i have removed all the rules from an interface but the hyperscan error is still there after a few moments for me.
                    +noaslr is still doing nothing
                    any chance you can provide the dbg pkg of suricata?

                    Not at the moment. I'm trying to reconstruct my package builder for the RELENG_2_7_2 branch of CE (which is the current 2.7.2 release), and that build is failing. Working with the Netgate team on that. Once I get my package builder working again, then I can build a debug package and perhaps share it.

                    Nothing else can happen until at least after this coming weekend as I am about to be out of town for a few days.

                    Well. i'm not in a hurry , i just like to solve mistery 🕵

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • P
                      paulp
                      last edited by

                      Suricata still hangs on interfaces with higher traffic, even though I set it to use AC-KS.
                      It is strange that the same message appears with the hyperscan error, although all interfaces are set to AC-KS:
                      [104160 - W#03] 2023-12-13 16:18:07 Error: spm-hs: Hyperscan returned fatal error -1.
                      Suricata-Error.png

                      BismarckB 1 Reply Last reply Reply Quote 0
                      • BismarckB
                        Bismarck @paulp
                        last edited by

                        @paulp same here:

                        [122730 - W#04] 2023-12-12 17:20:11 Error: spm-hs: Hyperscan returned fatal error -1.

                        fe069469-a7ed-45dc-bf5f-e4551da8277c-image.png

                        1 Reply Last reply Reply Quote 0
                        • M
                          Maltz @NRgia
                          last edited by

                          @NRgia said in Suricata process dying due to hyperscan problem:

                          @Maltz said in Suricata process dying due to hyperscan problem:

                          @bmeeks said in Suricata process dying due to hyperscan problem:

                          I don't see the point in changing the default if users can just simply make the change manually and save it.

                          I think changing the default would be tremendously useful for people who have no way of knowing why Suricata is crashing over a month after the pfSense update that seemingly broke it. People who haven't, or don't have to expertise to, spend hours poring over system logs, find the right log entry to google, and make their way to this thread.

                          I beg to differ, why force everybody to use some settings as workaround, in order to track down an issue? This is not a test branch. As far as I understood from the posts here, this happens only if Suricata is in Legacy Mode. For example I use Suricata in inline mode on WAN and also on LAN with multiple VLANS and I don't encounter this issue. I'm not saying that we should not attempt to fix this, but forcing all of us to use the proposed defaults is bad practice.

                          Let me rephrase: Changing the logic around the default "Auto" setting would be useful. If AC-BS is the only one that works reliably in Legacy Mode (it's the only one that works for me at any rate) then that's the one "Auto" should choose.

                          M 1 Reply Last reply Reply Quote 2
                          • M
                            michmoor LAYER 8 Rebel Alliance @Maltz
                            last edited by michmoor

                            @Maltz
                            Exactly which is why i proposed it. As someone pointed out this isnt the dev branch this is the 'prod' branch so change the default to what is working for most instead of having people guess what the issue is, google it, find your way to the forum post and now a forum post which is already a 205 posts topic. Now the person needs to read all of this to conclude Hyperscan doesnt work.

                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                            Routing: Juniper, Arista, Cisco
                            Switching: Juniper, Arista, Cisco
                            Wireless: Unifi, Aruba IAP
                            JNCIP,CCNP Enterprise

                            1 Reply Last reply Reply Quote 0
                            • M
                              masons @bmeeks
                              last edited by

                              @bmeeks

                              This issue is incredibly frustrating to pin down. It took a full day, but I just saw the Hyperscan error on one of my VMs. The ASLR change does seem to significantly improve my ability to start Suricata instances and keep them running but, it's not a viable workaround. I've switched over to AC-BS. I'll watch this for a few days and see what happens.

                              1 Reply Last reply Reply Quote 0
                              • P
                                paulp
                                last edited by

                                Good news! At least I hope so :)
                                I changed Pattern Match to AC-BS and for now I see it has been working for about 20 hours.
                                With the Pattern Matcher Algorithm set to Auto, AC-KS or Hyperscan, Suricata stopped after a few hours on the interfaces that had higher traffic.

                                1 Reply Last reply Reply Quote 1
                                • S
                                  SteveITS Galactic Empire @bmeeks
                                  last edited by

                                  @bmeeks said in Suricata process dying due to hyperscan problem:

                                  best workaround for you guys is to select AC-CS (the normal default when Hyperscan is not present

                                  I don't seem to have AC-CS as an option on the routers I've checked?

                                  3437d83b-648d-49d8-bd5a-d4bf55ad36df-image.png

                                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                  Upvote 👍 helpful posts!

                                  M M 2 Replies Last reply Reply Quote 0
                                  • M
                                    michmoor LAYER 8 Rebel Alliance @SteveITS
                                    last edited by

                                    @SteveITS
                                    Ive read AC-KS is performing well enough.

                                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                    Routing: Juniper, Arista, Cisco
                                    Switching: Juniper, Arista, Cisco
                                    Wireless: Unifi, Aruba IAP
                                    JNCIP,CCNP Enterprise

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      Maltz @SteveITS
                                      last edited by

                                      @SteveITS I assumed that was a typo. AC-BS is the only one that works for me.

                                      B 1 Reply Last reply Reply Quote 1
                                      • kiokomanK
                                        kiokoman LAYER 8 @bmeeks
                                        last edited by kiokoman

                                        @bmeeks

                                        [101504 - Suricata-Main] 2023-12-15 16:56:12 Notice: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1 Engine started.
                                        [153671 - RX#01-vmx2] 2023-12-15 16:56:18 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used
                                        [153740 - W#05] 2023-12-15 17:24:54 Error: spm-hs: Hyperscan returned fatal error -1.

                                        15/12/2023 -- 17:24:54 - <Debug> -- sid 2200024: e 0x3919a4bcde90 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- [packet 0x3919c77ff200][no tunnel] no drop
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496b480 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- p->ts.tv_sec 1702657438
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- packet 0
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200020: e 0x3919a4bcddd0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200025
15/12/2023 -- 17:24:54 - <Debug> -- fb 0x3919554fe600 fb->head 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p 0x3919c6aec600 pkt 0x3919c6aec850 ether type 0800
15/12/2023 -- 17:24:54 - <Debug> -- pkt 0x3919c6aec85e len 454
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115470
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200020: e 0x3919a4bcddd0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200021
15/12/2023 -- 17:24:54 - <Debug> -- ssn 0x3919bc2d59c0, stream 0x3919bc2d59d0, p 0x3919c441ea00, p->payload_len 39
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- IPV4 89.37.71.254->192.168.9.89 PROTO: 17 OFFSET: 0 RF: 0 DF: 0 MF: 0 ID: 40415
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115560
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- UDP sp: 4090 -> dp: 60363 - HLEN: 8 LEN: 426
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200110: e 0x3919a4bcec40 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200111
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496c380
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a30
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports -1 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155a0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200021
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115560
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports 6081 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports 4789 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200005: e 0x3919a4bcdb30 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x3919549700c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200025: e 0x3919a4bcdec0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200111
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496b480 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200021: e 0x3919a4bcde00 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- packet 0 -- flow 0x39195496c380
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200026
15/12/2023 -- 17:24:54 - <Debug> -- packet 0 has flow? yes
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- packet 0 is TCP. Direction TOSERVER
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200006
15/12/2023 -- 17:24:54 - <Debug> -- p->pcap_cnt 0 direction toserver pkt_src wire/pcap
15/12/2023 -- 17:24:54 - <Debug> -- time we got is 1702657494 sec, 604115 usec
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- stream->seg_tree RB_MIN 0x3919bb7d63c0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200021: e 0x3919a4bcde00 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200022
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p->pcap_cnt 0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- stream_offset 0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- 0 -> seg 0x3919bb7d63c0 seq 2065244386 abs 0 size 318 abs 318 (0) ack:fully ack'd
15/12/2023 -- 17:24:54 - <Debug> -- allocated a new packet only using alloc...
15/12/2023 -- 17:24:54 - <Debug> -- size 318, cnt 1
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200022
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- stream_offset 0
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155b0
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115480
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- start: pcap_cnt 0, policy 0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- end
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115570
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a30
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200111: e 0x3919a4bcec70 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- size 0, cnt 0
15/12/2023 -- 17:24:54 - <Debug> -- p->ts.tv_sec 1702657438
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Midstream not enabled, so won't pick up a session
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- size 318, packet 0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- app progress 0
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200006: e 0x3919a4bcdb60 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200111: e 0x3919a4bcec70 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200112
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200022: e 0x3919a4bcde30 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x3919549700c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- last_ack 2065244704 (abs 318), base_seq 2065244386
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200008
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p 0x3919c6b16c00 pkt 0x3919c6b16e50 ether type 0800
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115570
15/12/2023 -- 17:24:54 - <Debug> -- packet 0: extra packets 0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- packet 0 calling Detect
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200112
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200023
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115490
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p->pcap_cnt 0 direction toserver pkt_src wire/pcap
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a40
15/12/2023 -- 17:24:54 - <Debug> -- getting one blob
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200022: e 0x3919a4bcde30 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- gap_ahead false mydata_len 318
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200023
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200008: e 0x3919a4bcdb90 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a40
15/12/2023 -- 17:24:54 - <Debug> -- pkt 0x3919c6b16e5e len 106
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- IPV4 89.37.71.254->192.168.9.89 PROTO: 17 OFFSET: 0 RF: 0 DF: 0 MF: 0 ID: 40419
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115580
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115580
15/12/2023 -- 17:24:54 - <Debug> -- UDP sp: 4090 -> dp: 60363 - HLEN: 8 LEN: 78
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x3919549700c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- flag STREAM_TOSERVER set
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p->flowflags 0x21
15/12/2023 -- 17:24:54 - <Debug> -- packet doesn't have established flag set (proto 6)
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- testing against "ip-only" signatures
15/12/2023 -- 17:24:54 - <Debug> -- ssn->state established
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports -1 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- stream 0x3919bc2d5a60 data in buffer 0x3919bc2d5a98 of len 318 and offset 0
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports 6081 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- GAP?2
15/12/2023 -- 17:24:54 - <Debug> -- parser
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200023: e 0x3919a4bcde60 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200009
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200112: e 0x3919a4bceca0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200112: e 0x3919a4bceca0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200026: e 0x3919a4bcdef0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200114
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200023: e 0x3919a4bcde60 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496b480 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200027
15/12/2023 -- 17:24:54 - <Debug> -- data_len 318 flags 05
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Stream initializer (len 318)
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a50
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1154a0
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- ports 4090->60363 ports 4789 -1 -1 -1
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200024
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200114: e 0x3919a4bcecd0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200024
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200114
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- time we got is 1702657494 sec, 605547 usec
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200115
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200009: e 0x3919a4bcdbc0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115590
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a60
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x3919549700c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- allocated a new packet only using alloc...
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200010
15/12/2023 -- 17:24:54 - <Debug> -- p->ts.tv_sec 1702657438
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- buflen 318 for toserver direction
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115590
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155c0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- searchlen 17 buflen 318
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200115: e 0x3919a4bced00 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p 0x3919c6b6a800 pkt 0x3919c6b6aa50 ether type 0800
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- pkt 0x3919c6b6aa5e len 1480
15/12/2023 -- 17:24:54 - <Debug> -- IPV4 3.160.212.64->192.168.11.161 PROTO: 6 OFFSET: 0 RF: 0 DF: 0 MF: 0 ID: 44798
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- TCP sp: 443 -> dp: 55288 - HLEN: 20 LEN: 1460
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a50
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200116
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a70
15/12/2023 -- 17:24:54 - <Debug> -- Hyperscan Match 0: id=48 @ 8 (pat id=67)
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- tcp toserver 0x3919a3e38060, tcp toclient 0x3919a3e4a520: going to use 0x3919a3e38060
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- tcp port 5900 -> 54479:5900
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1154b0
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200027: e 0x3919a4bcdf20 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200024: e 0x3919a4bcde90 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- time we got is 1702657494 sec, 605983 usec
15/12/2023 -- 17:24:54 - <Debug> -- TCP list 0x3919a3e38060, port 5900, direction toserver, sghport 0x3919555b79a0, sgh 0x3919a39ff8a0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning pointer 0x3919a39ff8a0 of type SigGroupHead ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Adding 1 sids
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200025
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200114: e 0x3919a4bcecd0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200024: e 0x3919a4bcde90 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- s->co->offset (0) s->cd->depth (8)
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200025
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200116: e 0x3919a4bced30 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200115
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155a0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200117
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a60
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496b480 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200028

                                        15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
                                        15/12/2023 -- 17:24:54 - <Error> -- Hyperscan returned fatal error -1.

                                        15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling filestore for flow
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling magic for flow
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155a0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200010: e 0x3919a4bcdbf0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a80
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling md5 for flow
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x3919549700c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200025: e 0x3919a4bcdec0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling sha1 for flow
15/12/2023 -- 17:24:54 - <Debug> -- allocated a new packet only using alloc...
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493cf40 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200011
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200115: e 0x3919a4bced00 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200116
15/12/2023 -- 17:24:54 - <Debug> -- p->ts.tv_sec 1702657438
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200026
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155d0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- p 0x3919c6cc5000 pkt 0x3919c6cc5250 ether type 0800
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling sha256 for flow
15/12/2023 -- 17:24:54 - <Debug> -- requesting disabling filesize for flow
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200117: e 0x3919a4bced60 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200025: e 0x3919a4bcdec0 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195493c7c0 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- pkt 0x3919c6cc525e len 1135
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b115a70
15/12/2023 -- 17:24:54 - <Debug> -- IPV4 3.160.212.64->192.168.11.161 PROTO: 6 OFFSET: 0 RF: 0 DF: 0 MF: 0 ID: 44799
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1154c0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- running match functions, sm 0x39195b1155b0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496f940 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200026
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- TCP sp: 443 -> dp: 55288 - HLEN: 20 LEN: 1115
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200028: e 0x3919a4bcdf50 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- f->file_flags 0555 set_file_flags 0555 g_file_flow_mask 0000
15/12/2023 -- 17:24:54 - <Debug> -- sid 2200116: e 0x3919a4bced30 Callback returned false
15/12/2023 -- 17:24:54 - <Debug> -- sgh non_pf ptr 0x3919a7a2e400 cnt 291 (syn 0x3919a7a2ee00/306, other 0x3919a7a2e400/291)
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200118
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x39195496b480 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- flow 0x391954943980 det_ctx->varlist 0x0
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>
15/12/2023 -- 17:24:54 - <Debug> -- no match
15/12/2023 -- 17:24:54 - <Debug> -- Returning: 0 ... <<
15/12/2023 -- 17:24:54 - <Debug> -- inspecting signature id 2200030
15/12/2023 -- 17:24:54 - <Debug> -- Entering ... >>

                                        gdb-debug.txt

                                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                        Please do not use chat/PM to ask for help
                                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          btspce @Maltz
                                          last edited by

                                          AC-BS on two 6100 in CARP/HA makes primary partially hang (after boot when suricata starts) and secondary takes over the interface that suricata was about to start on primary which results in traffic not working at all as primary still thinks it is master for the same interface. Hyperscan coredumps immediately when suricata starts.

                                          S 1 Reply Last reply Reply Quote 0
                                          • S
                                            SteveITS Galactic Empire @btspce
                                            last edited by

                                            @btspce interesting…not seeing that on our 6100 pair.🤔 only a boot not a stop/start? (Not sure I restarted again after Suricata install)

                                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                            Upvote 👍 helpful posts!

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.