On 2022/04/06 12:38, George Pontis wrote:
> > https://github.com/openbsd/ports/blob/master/security/suricata/patches/patch-suricata-update_suricata_update_config_py
> > https://github.com/openbsd/ports/blob/master/security/suricata/patches/patch-suricata-update_suricata_update_parsers_py
>
> Is it possible that this patch is more recent than the 6.0.2p0 version
> included in the OpenBSD 7.0 amd64 packages ? I gave up and uninstalled
> the package, but from the remaining logs in /var/log/messages, I can report
> the following.
>
> Here's what was logged to /var/log/messages with the data directory set for
> /var/suricata/... and after running suricata-update.
> I might add that as soon as suricata-update starts, one of the first few
> lines of output show that it is using data directory /var/lib/suricata and
> not /var/suricata.
Thanks for the logs. The patches for this should be in the 7.0
packages - I think I ran into this myself when I tried suricata and
fixed it around 6.9. Though it was updated since then and maybe
something else crept in.
> It would have been an easy workaround to just let it use rules under
> /var/lib/suricata, but the program always quits later with "Abort trap". I
> ran it from the command line
> and logged this output:
Yes this looks like what happened when I tried it. I decided it
looked pretty heavy software to run as well and gave up on it
myself though it looks like some others probably have it working.
> '/var/run/suricata/suricata-command.socket'
> 5/4/2022 -- 17:16:15 - <Notice> - all 5 packet processing threads, 4
> management threads initialized, engine started.
> 5/4/2022 -- 17:16:37 - <Info> - No packets with invalid checksum, assuming
> checksum offloading is NOT used
> Abort trap
You might get some more information by installing the debug package
("pkg_add debug-suricata") and run it from a debugger ("pkg_add gdb",
"egdb suricata", "run") and when it crashes "bt". If you get
pthread_mutex_unlock showing in the first few lines of output from
this then it's probably the same issue I ran into, but maybe you
get something different that is easier to track down.
