Project

General

Profile

Actions

Bug #2988

closed

redis fails sometimes to reload rules to suricata; restart of redis fixes

Added by Charles Dillard over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

My company uses suricata on CentOS 7 hardware. We are unable to update to suricata 4.+ due to unknowns. The current process is as follows:

1. suricata reloads new rulesets, pushed by security team, with 'kill -SIGUSR2 PID'.
2. redis is the output specified in suricata.yaml.
3. Lua lpops suricata and pushes output to file json_out.txt
4. which is picked up by splunk. If new rules get to json_out.txt, it is considered "working".

suricata 3.0 works on 90 percent of our grid. On about 10 percent, a rule / heartbeat update fails when our security team pushes one. Restarting redis fixes this. Here is a piece of suricata.yaml:

outputs:
- eve-log:
enabled: yes
filetype: redis #regular|syslog|unix_dgram|unix_stream|redis
redis:
server: 127.0.0.1

Here is relevant lua config:

local alert_log_path = "/nsm/sensors/INO/snortlogs/72/json_out.txt"

AND

local channel = "INO-Alert" 
local params = { host = redis_host, port = redis_port }
local listener = redis.connect(params)
local alert_log = io.open(alert_log_path, "a")
while 1 == 1 do
local msg = listener:lpop(channel)

All servers are automated and should be identical.

Have checked resource issues like cpu, mem and so forth. The restart of redis appears to always fix.

Can you tell me if you've seen this before and how would I troubleshoot further?

Many thanks!

redis-2.8.19-2.el7.x86_64
suricata-3.0-ESG_3.el7.centos.x86_64
lua-5.1.4-15.el7.x86_64

Actions

Also available in: Atom PDF