Bug #1160
closedPcaps submitted via Unix Socket do not finish processing in Suricata 2
Description
We have been using the unix socket mode heavily in suricata 1.4 to test a large number of pcaps and have previously had no issues.
During testing of suricata2 we started hitting the open file limit and further investigation yielded that suricata does not appear to finish testing the pcaps so never releases the file handles. This has happened consistently regardless of the pcap files tested so we believe it to be an issue inside of suricata. In addition, no alerts are ever written to the log files
The pcap-file-list returns zero in suricatasc
pcap-file /home/jjones/2014-03-04-Hello-EK-traffic.pcap /tmp
Success:
"Successfully added file to list"pcap-file /home/jjones/AML-13657684.rsrc-59750657.dynamic.pcap /tmp
Success:
"Successfully added file to list"pcap-file /home/jjones/AML-13685528.rsrc-60216130.dynamic.pcap /tmp
Success:
"Successfully added file to list"pcap-file /home/jjones/AML-13694010.rsrc-60587531.dynamic.pcap /tmp
Success:
"Successfully added file to list"pcap-file /home/jjones/d8ee9cd4d89657117b199b99120a59e0.pcap /tmp
Success:
"Successfully added file to list"pcap-file-number
Success:
0pcap-current
Success:
"None"pcap-file-list
Success: {
"count": 0,
"files": []
}
LSOF output from minutes after asking for the pcaps to be tested (normally we have a separate directory per pcap with the same results):
Suricata- 15695 root 10u unix 0xffff8808d6ada680 0t0 6614358 socket
Suricata- 15695 root 11w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 12w REG 252,0 3053 8257719 /tmp/unified2.alert.1396377326
Suricata- 15695 root 13w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 14w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 15w REG 252,0 0 8257725 /tmp/unified2.alert.1396377327
Suricata- 15695 root 16w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 17w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 18w REG 252,0 0 8257734 /tmp/unified2.alert.1396377328
Suricata- 15695 root 19w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 20w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 21w REG 252,0 0 8257743 /tmp/unified2.alert.1396377329
Suricata- 15695 root 22w REG 252,0 12344 8257554 /tmp/http.log
Files
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
Updated by Victor Julien over 10 years ago
Multiple ppl have reported this, it seems that currently the pcap processing mode is broken.
Updated by Victor Julien over 10 years ago
This should be fixed in https://github.com/inliniac/suricata/pull/926, please test! To do so, just check out the git master.
Updated by jason jones over 10 years ago
Victor Julien wrote:
This should be fixed in https://github.com/inliniac/suricata/pull/926, please test! To do so, just check out the git master.
I verified on a small set of pcaps that they are processed, files are closed, and that expected alerts are generated into the specified output dir
I will test a larger set today and notify if I see any issues.
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- Assignee changed from Eric Leblond to Victor Julien
- % Done changed from 70 to 100
Thanks, assuming it's fixed. Please reopen if the same issue reappears.