Dragonfly-mle Core Dump

Hi guys
first of all compliments for your project.

i setup the environments on vmware, configure 2 ETH (1 for MGT and 1 for the TAP), route my network flow through TAP device to TAP Eth, configured and started Suricata, and tryed a configuration for DrangonFly, following the example…

but i getting a “core dump” from DrangonFly:

below an extract of the log with the error:

this is the content of /var/log/suricata:

root@OPNids:/var/log/redis # cd /var/log/suricata
root@OPNids:/var/log/suricata # ls -la
total 30531436
drwx------ 3 root wheel 512 Feb 14 15:00 .
drwxr-xr-x 9 root wheel 1024 Feb 14 03:01 …
drwx------ 2 root wheel 512 Feb 14 13:00 certs
-rwx------ 1 root wheel 1944380430 Feb 14 15:29 dns.log
-rw-r----- 1 root wheel 4273867838 Feb 14 15:29 eve.json
-rw-r----- 1 root wheel 9684643360 Feb 14 15:00 eve.json.0
-rw-r----- 1 root wheel 9017721619 Feb 14 14:00 eve.json.1
-rwx------ 1 root wheel 0 Feb 7 20:23 eve.json.3
-rwx------ 1 root wheel 5839445113 Feb 14 15:29 fast.log
-rw-r----- 1 root wheel 850196 Feb 14 15:28 files-json.log
-rwx------ 1 root wheel 1588261 Feb 14 15:29 http.log
-rwx------ 1 root wheel 42054683 Feb 14 15:29 stats.log
-rwx------ 1 root wheel 66522376 Feb 14 00:00 stats.log.0
-rwx------ 1 root wheel 66488977 Feb 13 00:00 stats.log.1
-rwx------ 1 root wheel 66430215 Feb 12 00:00 stats.log.2
-rwx------ 1 root wheel 66345426 Feb 11 00:00 stats.log.3
-rwx------ 1 root wheel 66226633 Feb 10 00:00 stats.log.4
-rwx------ 1 root wheel 65635405 Feb 9 00:00 stats.log.5
-rwx------ 1 root wheel 51176720 Feb 8 00:00 stats.log.6
-rwx------ 1 root wheel 2368750 Feb 14 14:31 tls.log
root@OPNids:/var/log/suricata #

this is my content of config.lua :

root@OPNids:/usr/local/dragonfly-mle # more config/config.lua

redis_host = “127.0.0.1”
redis_port = “6379”


– Input queues/processors


inputs = {
{ tag=“eve”, uri=“tail:///var/log/suricata/eve.json”, script=“suricata-filter.lua”, default_analyzer=“alert”},
– { tag=“http”, uri=“file:///var/log/suricata/http.log”, script=“suricata-filter.lua”, default_analyzer=“alert”},
{ tag=“dns”, uri=“file:///var/log/suricata/dns.log”, script=“suricata-filter.lua”, default_analyzer=“alert”}
}


– Analyzer queues/processors


analyzers = {
{ tag=“alert”, script=“example-alert.lua”, default_analyzer=“alert”, default_output=“log” },
– { tag=“eve”, script=“default-analyzer.lua”},
– {tag=“http”, script=“example-alert.lua”},
{ tag=“dns”, script=“example-dns.lua”, default_analyzer=“alert”, default_output=“log” }
}


– Output queues/processors


outputs = {
{ tag=“log”, uri=“file://dragonfly-example.log”}
– {tag=“eve”, uri=“file://eve-alerts.log”},
– {tag=“http”, uri=“file://http-alerts.log”},
– {tag=“dns”, uri=“file://dns-alerts.log”}
}
root@OPNids:/usr/local/dragonfly-mle #

this is the error log that i see from dashboard (system log), when i try to start dragonfly:

Feb 14 15:27:40 kernel: pid 30276 (dragonfly-mle), uid 0: exited on signal 4 (core dumped)
Feb 14 15:27:40 dragonfly: Running log
Feb 14 15:27:40 dragonfly: Running {stats}
Feb 14 15:27:40 dragonfly: lua_input_loop: lua_pcall error : - /usr/local/dragonfly-mle/filter/suricata-filter.lua:39: Expected the end but found invalid token at character 3
Feb 14 15:27:40 dragonfly: Running {log}
Feb 14 15:27:40 dragonfly: Running dns
Feb 14 15:27:40 dragonfly: dns: opening file:///var/log/suricata/dns.log
Feb 14 15:27:40 dragonfly: eve: opening tail:///var/log/suricata/eve.json
Feb 14 15:27:40 dragonfly: Running eve
Feb 14 15:27:40 dragonfly: Running eve
Feb 14 15:27:40 dragonfly: Running dns
Feb 14 15:27:40 kernel: -> pid: 30027 ppid: 29721 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Feb 14 15:27:40 kernel: [HBSD SEGVGUARD] [/usr/local/dragonfly-mle/bin/dragonfly-mle (30027)] Suspension expired.

where i wrong ?
is it possible to run the environments in debug mode?

i’m available for other log or config file (es /usr/local/etc/suricata/suricata.yaml.)

thanks in advance

Hi Mardux,

We have come across similar issues when running MLE on VMWARE but have not yet identified root cause. We are still working on it.

In the mean time, I could suggest either using another VM environment (like VirtualBox) or try it on a standalone machine.

-Ash

Hi Ash

thanks for your reply.

on virtualBox or on physical environments in your case works ?

Hi Mardux,

I’ve tested it on both physical and VirtualBox. They both work. Hope you can try it soon. If you run into any problems, I can try and help.

Best,
-Ash