In this case we have a Ubuntu with kernel 3.2 as virtual guest OS and Surcata latest dev edition as at the moment of this writing.
[This solution blog-post would have not been possible without the help of Victor Julien - his blog]
This is a situation where xen visualization is used and Suricata can not start unless compiled in with "--disable-gccmarch-native" on the particular virtual guest.
There is no other err msg (and/or core file even when compiled with debugging) besides the:
root@ip-xx-xxx-xxx-xxx:/# suricata -c /etc/suricata/suricata.yaml -i eth0
[14844] 23/1/2014 -- 10:26:32 - (suricata.c:942) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev a77b9b3)
Illegal instruction (core dumped)
Even when tried (just for the sake of playing with it) sudo or not you can notice the diff between the two commands:
root@ip-xx-xxx-xxx-xxx:/# sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -v
[15562] 23/1/2014 -- 10:58:10 - (suricata.c:942) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev a77b9b3)
[15562] 23/1/2014 -- 10:58:10 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 1
root@ip-xx-xxx-xxx-xxx:/#
root@ip-xx-xxx-xxx-xxx:/#
root@ip-xx-xxx-xxx-xxx:/# suricata -c /etc/suricata/suricata.yaml -i eth0 -v
[15564] 23/1/2014 -- 10:58:15 - (suricata.c:942) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev a77b9b3)
[15564] 23/1/2014 -- 10:58:15 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 1
Illegal instruction (core dumped)
root@ip-xx-xxx-xxx-xxx:/#
root@ip-xx-xxx-xxx-xxx:/# whoami
root
root@ip-xx-xxx-xxx-xxx:/#
Notice how in the first case there is not even an err message. In either case Suri never starts and never dumps a core even when it is compiled with CFLAGS (debugging enabled) aka:
CFLAGS="-O0 -ggdb" ./configure
If we have not used the --disable-gccmarch-native option during the configure stage, can be concluded from the build-info command:
root@ip-xx-xxx-xxx-xxx:/# suricata --build-info
This is Suricata version 2.0dev (rev a77b9b3)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.9, linked against LibHTP v0.5.9
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
libnss support: yes
libnspr support: yes
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
root@ip-xx-xxx-xxx-xxx:/#
This above is the default behavior - for GCC march native during the configure stage.
Having run into the above described problem (basically, can't start Suricata) , I did some investigation and
root@ip-xx-xxx-xxx-xxx:/opt/oisf# dmesg |grep virt
[ 0.000000] Linux version 3.2.0-54-virtual (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #82-Ubuntu SMP Tue Sep 10 20:31:18 UTC 2013 (Ubuntu 3.2.0-54.82-virtual 3.2.50)
[ 0.000000] Booting paravirtualized kernel on Xen
[1960849.933770] Initialising Xen virtual ethernet driver.
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
what do you know ...a virtual machine :)
I wanted to be 100% sure that this is the case , based on a command output, otherwise I suspected it was a virtual server. I did try all of the below commands to determine if it is a virtual machine:
root@ip-xx-xxx-xxx-xxx:/opt/oisf# ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
root@ip-xx-xxx-xxx-xxx:/opt/oisf# dmidecode | grep -i vmware
root@ip-xx-xxx-xxx-xxx:/opt/oisf# dmidecode
# dmidecode 2.11
# No SMBIOS nor DMI entry point found, sorry.
root@ip-xx-xxx-xxx-xxx:/opt/oisf# cat /proc/scsi/scsi
root@ip-xx-xxx-xxx-xxx:/opt/oisf# lshw -class system
ip-xx-xxx-xxx-xxx
description: Computer
width: 64 bits
capabilities: vsyscall32
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
root@ip-xx-xxx-xxx-xxx:/opt/oisf# lspci | grep -i vmware
root@ip-xx-xxx-xxx-xxx:/opt/oisf# lspci | grep -i virt
root@ip-xx-xxx-xxx-xxx:/opt/oisf# ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
root@ip-xx-xxx-xxx-xxx:/opt/oisf# dmesg |grep virt
[ 0.000000] Linux version 3.2.0-54-virtual (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #82-Ubuntu SMP Tue Sep 10 20:31:18 UTC 2013 (Ubuntu 3.2.0-54.82-virtual 3.2.50)
[ 0.000000] Booting paravirtualized kernel on Xen
[1960849.933770] Initialising Xen virtual ethernet driver.
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
only dmesg |grep virt (and hints from ethtool -i eth0 ) returned what I was looking for.
Disabling gcc march native during the configure stage and recompiling did the trick and I was able to start and run Suri without a problem.
root@ip-xx-xxx-xxx-xxx:/opt/oisf# suricata --build-info
This is Suricata version 2.0dev (rev a77b9b3)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.9, linked against LibHTP v0.5.9
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
libnss support: yes
libnspr support: yes
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: no
GCC Profile enabled: no
root@ip-xx-xxx-xxx-xxx:/opt/oisf#
NOTICE:
GCC march native enabled: noYou would get the above result when compiling this way (this build is using the latest git dev edition at the moment of this writing):
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && CFLAGS="-O0 -ggdb" ./configure \
--prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--disable-gccmarch-native \
--enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean \
&& sudo make \
&& sudo make install \
&& sudo ldconfig
as compared with:
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && CFLAGS="-O0 -ggdb" ./configure \
--prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean \
&& sudo make \
&& sudo make install \
&& sudo ldconfig
Notice "--disable-gccmarch-native" is missing in the second one.
The most important thing is to configure/compile with --disable-gccmarch-native on a virtual guest, if you get the same problem.