Bug #2451
closed
Missing Files Will Cause Pcap Thread to No Longer Run in Unix Socket Mode
Added by Danny Browning over 6 years ago.
Updated over 6 years ago.
Description
If a pcap file is sent to unix socket for processing that does not exist (e.g. slow i/o), the pcap thread is returning a failure, and not being restarted.
perl code:
my $pcap_file = '/tmp/suri/dump.pcap';
my $pcap_store = '/tmp/suri/';
# Create socket
my $server = IO::Socket::UNIX->new( Peer => $SOCKET,
Type => SOCK_STREAM,
Timeout => $TIMEOUT
) or die "[E] Can't connect to $SOCKET: $!";
# Only process the pcap when it actually exists!
if(-e $pcap_file) {
my $suricata_request->{'command'} = "pcap-file";
$suricata_request->{'arguments'} = {};
$suricata_request->{'arguments'}{'filename'} = $pcap_file;
$suricata_request->{'arguments'}{'output-dir'} = $pcap_store;
my $response = send_suricata($suricata_request);
# ...
# (some error handling)
# ...
my $try = 0;
while(1) {
print "Checking for: ". $pcap_store ."fast.log\n";
if (-e $fastlog) {
print "Suricata processing finished!\n";
}
else {
print "Waiting for pcap to be processed ($try)\n";
$try++;
}
}
}
Error log:
2018-02-27T14:33:19.641205+00:00 suri-ams suricata: [31230] <Info> -- Alerts: 0
2018-02-27T14:33:19.686327+00:00 suri-ams suricata: [31230] <Info> -- pcap-file.tenant-id not set
2018-02-27T14:33:19.713970+00:00 suri-ams suricata: [31230] <Info> -- fast output device (regular) initialized: fast.log
2018-02-27T14:33:19.728454+00:00 suri-ams suricata: [31230] <Info> -- tls-log output device (regular) initialized: tls.log
2018-02-27T14:33:19.728568+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead
2018-02-27T14:33:19.729061+00:00 suri-ams suricata: [31230] <Info> -- md5 calculation requires linking against libnss
2018-02-27T14:33:19.729129+00:00 suri-ams suricata: [31230] <Info> -- storing files in /tmp/suri/files
2018-02-27T14:33:19.729192+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Please use 'tls-store' in YAML to configure TLS storage
2018-02-27T14:33:19.729559+00:00 suri-ams suricata: [31230] <Info> -- storing certs in /tmp/suri/certs
2018-02-27T14:33:19.742466+00:00 suri-ams suricata: [4853] <Info> -- Checking file or directory /tmp/suri/dump.pcap
2018-02-27T14:33:19.742656+00:00 suri-ams suricata: [4853] <Error> -- [ERRCODE: SC_ERR_FOPEN(44)] - /tmp/suri/dump.pcap: Does not exist, or name is an empty string
2018-02-27T14:33:20.070135+00:00 suri-ams suricata: [31230] <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0145
- Target version set to TBD
Can you provide details about suricata version etc.?
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1
Also available in: Atom
PDF