Bug #4225
closedSC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Description
Upon the first pcap being submitted in socket mode, an error is logged
18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled
This is producible with the default configuration (with minor adjustments to account for default paths)
1. Start suricata in socket mode without Demonizing
suricata -c /tmp/socket_anomaly_error/suricata.yaml -k none -vvvv --runmode single --unix-socket=/tmp/socket_anomaly_error/suricata.sock
2. After suricata is started, use suricatasc to send the pcap
suricatasc -c "pcap-file /tmp/socket_anomaly_error/test.pcap /tmp/socket_anomaly_error/output_logs" /tmp/socket_anomaly_error/suricata.sock
3. Observe the error being reported by Suricata
18/12/2020 -- 02:53:49 - <Info> - Added file '/tmp/socket_anomaly_error/test.pcap' to list 18/12/2020 -- 02:53:49 - <Info> - pcap-file.tenant-id not set 18/12/2020 -- 02:53:49 - <Info> - Starting run for '/tmp/socket_anomaly_error/test.pcap' 18/12/2020 -- 02:53:49 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 18/12/2020 -- 02:53:49 - <Config> - preallocated 65535 defrag trackers of size 160 18/12/2020 -- 02:53:49 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432 18/12/2020 -- 02:53:49 - <Config> - stream "prealloc-sessions": 2048 (per thread) 18/12/2020 -- 02:53:49 - <Config> - stream "memcap": 67108864 18/12/2020 -- 02:53:49 - <Config> - stream "midstream" session pickups: disabled 18/12/2020 -- 02:53:49 - <Config> - stream "async-oneside": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "checksum-validation": disabled 18/12/2020 -- 02:53:49 - <Config> - stream."inline": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "bypass": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "max-synack-queued": 5 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "memcap": 268435456 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "depth": 1048576 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toserver-chunk-size": 2617 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toclient-chunk-size": 2460 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly.raw: enabled 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "segment-prealloc": 2048 18/12/2020 -- 02:53:49 - <Info> - fast output device (regular) initialized: fast.log 18/12/2020 -- 02:53:49 - <Info> - eve-log output device (regular) initialized: eve.json 18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'alert' 18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'anomaly' 18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled
This is observed in 5.0.5, 6.0.1 and 7.0.0-dev (372fc2673 2020-12-11), but not 5.0.4, 6.0.0.
I believe this is in relation to PR#5258 https://github.com/OISF/suricata/pull/5258/commits/c42574169e0b3e4bca396493b21f0208ee1bc759
Updated by Jeff Lucovsky almost 4 years ago
I've been able to reproduce this issue.
The drop logger -- when configured -- will issue the same error message:
[3929025] 21/12/2020 -- 09:09:28 - (output-json-drop.c:257) <Error> (JsonDropLogInitCtxSub) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'drop' logger can be enabled
Updated by David Wharton almost 4 years ago
I was about to report this but Brandon beat me to it.
When Suricata starts in socket mode, OutputAnomalyLoggerEnable() gets called (if anomaly logger is enabled in the yaml) which increments the anomaly_loggers counter from 0 to 1 which is the max. A socket control "pcap-file" command also results in OutputAnomalyLoggerEnable() getting called but anomaly_loggers is already at the max so the above mentioned error is raised. Upon cleanup after that error however, OutputAnomalyLoggerDisable() is called which decrements the anomaly_loggers counter which allows for subsequent "pcap-file" socket commands to succeed without error.
Updated by Jason Ish over 3 years ago
- Status changed from New to In Progress
- Assignee set to Jason Ish
Initial PR here: https://github.com/OISF/suricata/pull/5928
Older versions skipped some initialization when in unix-socket mode until a pcap-file was provided, but some of that initialization is required at startup no matter what to fix other issues, which left loggers enabled for the first pcap-file run causing these errors. However subsequent runs were OK as some deinitialization is done after each pcap run.
To fix this, I've added the same deinit routing after startup initialization so the first pcap-file gets a clean state.
Updated by Jason Ish over 3 years ago
- Target version set to 7.0.0-beta1
- Affected Versions 6.0.2 added
- Label Needs backport to 5.0, Needs backport to 6.0 added
Updated by Jeff Lucovsky over 3 years ago
- Copied to Bug #4469: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode added
Updated by Jeff Lucovsky over 3 years ago
- Copied to Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode added
Updated by Jason Ish over 3 years ago
- Related to Bug #4434: Duplicate alert record in eve log when using unix-socket mode added
Updated by Jason Ish over 3 years ago
- Status changed from In Progress to Closed
Fix merged into master.
Updated by Jason Ish over 3 years ago
Fix was merged with PR https://github.com/OISF/suricata/pull/6091 as part of the fix to #4434.