Suricata core dump on sig 10?

RobertK 1

Hi, Have anyone ever seen Suricata core dump on sig 10? Nothing in the logs around that time, Suricata 7.0.3, pfsense CE 2.7.2, IDS mode with PCAP, ET open ruleset. Where should I start?

Mar 5 09:17:08 bfbpfw-1 kernel: pid 65939 (suricata), jid 0, uid 0: exited on signal 10 (core dumped)

bmeeks

What kind of hardware?

Signal 10 is a SIGBUS (bus error) and is usually caused by non-aligned memory access (which means attempting to read or write memory at an address that is not word-aligned). This error is most common on ARM hardware, especially the older 32-bit ARM chip used in the SG_3100. It's not so common on Intel CPUs as they automatically fix-up any non-aligned memory access.

I see you are running CE 2.7.2, so since there is no ARM image for that, I assume you are running pfSense on Intel/AMD CPU hardware.

This error can also happen due to faulty RAM, but that is rare.

Here is a Wikipedia article describing this type of error: https://en.wikipedia.org/wiki/Bus_error. There is nothing you can do or change on your end in software to impact the error. Does it recur frequently, or was this a one-off event?

RobertK 1

@bmeeks Thanks for your reply, I have not seen SIGBUS errors before, this is the first time. You were right, it's running on Intel CPU. So I guess I'll wait and see, if it happens again then I'll try to with another RAM module.