Project

General

Profile

Actions

Bug #2662

closed

unix socket - memcap read/set showing unlimited where there are limited values configured by default

Added by Peter Manev almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using - This is Suricata version 4.1.0-dev (rev 033e7569)
via Unix socket - some memcaps have a default limit configured in yaml - like for example stream and stream.reassembly/flow. It seems the command via unix socket does not read those in correctly .

>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "unlimited" 
    },
    {
        "name": "stream-reassembly",
        "value": "unlimited" 
    },
    {
        "name": "flow",
        "value": "unlimited" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "unlimited" 
    },
    {
        "name": "ippair",
        "value": "unlimited" 
    },
    {
        "name": "host",
        "value": "32mb" 
    }
]
>>> memcap-show stream
Success:
{
    "value": "unlimited" 
}

Actions #1

Updated by Victor Julien almost 6 years ago

  • Assignee set to Giuseppe Longo

Giuseppe, I think you wrote this feature. Could you check this out? Thanks!

Actions #2

Updated by Giuseppe Longo almost 6 years ago

Yes sure.

Actions #3

Updated by Giuseppe Longo almost 6 years ago

Not able to reproduce the issue with the default config.

This is Suricata version 4.1.0-dev (rev 787473ec6)

>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "64mb" 
    },
    {
        "name": "stream-reassembly",
        "value": "256mb" 
    },
    {
        "name": "flow",
        "value": "128mb" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "32mb" 
    },
    {
        "name": "ippair",
        "value": "16mb" 
    },
    {
        "name": "host",
        "value": "32mb" 
    }
]
>>> memcap-show stream
Success:
{
    "value": "64mb" 
}
>>>

# ./bin/suricata --dump-config | grep -i "memcap" 
defrag.memcap = 32mb
flow.memcap = 128mb
stream.memcap = 64mb
stream.reassembly.memcap = 256mb
host.memcap = 32mb

Actions #4

Updated by Peter Manev almost 6 years ago

It actually happens when there is no config present if installed in a non default location:


pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricatasc /opt/suritest/var/run/suricata/suricata-command.socket 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, pcap-file, pcap-file-continuous, pcap-file-number, pcap-file-list, pcap-last-processed, pcap-interrupt, pcap-current, quit
>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "unlimited" 
    },
    {
        "name": "stream-reassembly",
        "value": "unlimited" 
    },
    {
        "name": "flow",
        "value": "unlimited" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "unlimited" 
    },
    {
        "name": "ippair",
        "value": "unlimited" 
    },
    {
        "name": "host",
        "value": "16mb" 
    }
]
>>> quit
[+] Quit command client
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricata -V
This is Suricata version 4.1.0-dev (rev 787473ec)
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ 

pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricata -T
[12959] 20/11/2018 -- 09:45:59 - (suricata.c:1895) <Info> (ParseCommandLine) -- Running suricata under test mode
[12959] 20/11/2018 -- 09:45:59 - (conf-yaml-loader.c:430) <Error> (ConfYamlLoadFile) -- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /opt/suritest/etc/suricata//suricata.yaml: No such file or directory
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ 
Actions #5

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Target version set to 5.0beta1
Actions #6

Updated by Victor Julien over 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions #7

Updated by Andreas Herz over 5 years ago

I can't reproduce it, can you share the exact details peter?

Actions #8

Updated by Peter Manev over 5 years ago

  • Status changed from Assigned to Closed

I can't reproduce it any longer with latest master too.

 sudo /opt/suritest/bin/suricatasc /opt/suritest/var/run/suricata/suricata-command.socket 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "64mb" 
    },
    {
        "name": "stream-reassembly",
        "value": "256mb" 
    },
    {
        "name": "flow",
        "value": "128mb" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "32mb" 
    },
    {
        "name": "ippair",
        "value": "16mb" 
    },
    {
        "name": "host",
        "value": "32mb" 
    }
]
>>> 

Actions

Also available in: Atom PDF