Project

General

Profile

Actions

Bug #1160

closed

Pcaps submitted via Unix Socket do not finish processing in Suricata 2

Added by jason jones over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We have been using the unix socket mode heavily in suricata 1.4 to test a large number of pcaps and have previously had no issues.

During testing of suricata2 we started hitting the open file limit and further investigation yielded that suricata does not appear to finish testing the pcaps so never releases the file handles. This has happened consistently regardless of the pcap files tested so we believe it to be an issue inside of suricata. In addition, no alerts are ever written to the log files

The pcap-file-list returns zero in suricatasc

pcap-file /home/jjones/2014-03-04-Hello-EK-traffic.pcap /tmp

Success:
"Successfully added file to list"

pcap-file /home/jjones/AML-13657684.rsrc-59750657.dynamic.pcap /tmp

Success:
"Successfully added file to list"

pcap-file /home/jjones/AML-13685528.rsrc-60216130.dynamic.pcap /tmp

Success:
"Successfully added file to list"

pcap-file /home/jjones/AML-13694010.rsrc-60587531.dynamic.pcap /tmp

Success:
"Successfully added file to list"

pcap-file /home/jjones/d8ee9cd4d89657117b199b99120a59e0.pcap /tmp

Success:
"Successfully added file to list"

pcap-file-number

Success:
0

pcap-current

Success:
"None"

pcap-file-list

Success: {
"count": 0,
"files": []
}

LSOF output from minutes after asking for the pcaps to be tested (normally we have a separate directory per pcap with the same results):

Suricata- 15695 root 10u unix 0xffff8808d6ada680 0t0 6614358 socket
Suricata- 15695 root 11w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 12w REG 252,0 3053 8257719 /tmp/unified2.alert.1396377326
Suricata- 15695 root 13w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 14w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 15w REG 252,0 0 8257725 /tmp/unified2.alert.1396377327
Suricata- 15695 root 16w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 17w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 18w REG 252,0 0 8257734 /tmp/unified2.alert.1396377328
Suricata- 15695 root 19w REG 252,0 12344 8257554 /tmp/http.log
Suricata- 15695 root 20w REG 252,0 80236 8257552 /tmp/fast.log
Suricata- 15695 root 21w REG 252,0 0 8257743 /tmp/unified2.alert.1396377329
Suricata- 15695 root 22w REG 252,0 12344 8257554 /tmp/http.log


Files

suricata2.log (27.8 KB) suricata2.log suricata 2.0 release logfile jason jones, 04/01/2014 01:48 PM
Actions

Also available in: Atom PDF