Project

General

Profile

Actions

Bug #2306

closed

suricata 4 deadlocks during failed output log reopening

Added by Michael Stone about 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've observed a consistent pattern of behavior in which after some period of operation suricata 4 will stop responding to inputs. For example, rule reloads fail to occur either using a signal or the socket interface. When suricata is in this state it is still generating alerts, still generating protocol logs, still generating stat logs, and otherwise appears to be operating normally, but it ignores requests to reload or shut down. I don't recall this ever happening with suricata 3, but on 4 (either 4.0 or 4.0.1) it seems that the process will eventually go catatonic. This is a major impact when switching from suri 3 to suri 4, because the only way to ensure that a rule reload actually occurs is to restart the entire process. There are no syslog or other management logs associated with this behavior. (At some point it goes from normal logging that it is reloading rules to not logging anything when asked to reload rules.)


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2360: possible deadlock with signal handlingClosedVictor Julien12/14/2017Actions
Actions

Also available in: Atom PDF