Actions
Bug #4470
closedSC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Description
Upon the first pcap being submitted in socket mode, an error is logged
18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled
This is producible with the default configuration (with minor adjustments to account for default paths)
1. Start suricata in socket mode without Demonizing
suricata -c /tmp/socket_anomaly_error/suricata.yaml -k none -vvvv --runmode single --unix-socket=/tmp/socket_anomaly_error/suricata.sock
2. After suricata is started, use suricatasc to send the pcap
suricatasc -c "pcap-file /tmp/socket_anomaly_error/test.pcap /tmp/socket_anomaly_error/output_logs" /tmp/socket_anomaly_error/suricata.sock
3. Observe the error being reported by Suricata
18/12/2020 -- 02:53:49 - <Info> - Added file '/tmp/socket_anomaly_error/test.pcap' to list 18/12/2020 -- 02:53:49 - <Info> - pcap-file.tenant-id not set 18/12/2020 -- 02:53:49 - <Info> - Starting run for '/tmp/socket_anomaly_error/test.pcap' 18/12/2020 -- 02:53:49 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 18/12/2020 -- 02:53:49 - <Config> - preallocated 65535 defrag trackers of size 160 18/12/2020 -- 02:53:49 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432 18/12/2020 -- 02:53:49 - <Config> - stream "prealloc-sessions": 2048 (per thread) 18/12/2020 -- 02:53:49 - <Config> - stream "memcap": 67108864 18/12/2020 -- 02:53:49 - <Config> - stream "midstream" session pickups: disabled 18/12/2020 -- 02:53:49 - <Config> - stream "async-oneside": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "checksum-validation": disabled 18/12/2020 -- 02:53:49 - <Config> - stream."inline": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "bypass": disabled 18/12/2020 -- 02:53:49 - <Config> - stream "max-synack-queued": 5 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "memcap": 268435456 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "depth": 1048576 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toserver-chunk-size": 2617 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toclient-chunk-size": 2460 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly.raw: enabled 18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "segment-prealloc": 2048 18/12/2020 -- 02:53:49 - <Info> - fast output device (regular) initialized: fast.log 18/12/2020 -- 02:53:49 - <Info> - eve-log output device (regular) initialized: eve.json 18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'alert' 18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'anomaly' 18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled
This is observed in 5.0.5, 6.0.1 and 7.0.0-dev (372fc2673 2020-12-11), but not 5.0.4, 6.0.0.
I believe this is in relation to PR#5258 https://github.com/OISF/suricata/pull/5258/commits/c42574169e0b3e4bca396493b21f0208ee1bc759
Actions