Project

General

Profile

Actions
Copy link

Bug #6997

open

Socket mode hard fail with pcap logging mode and multiple link layer pcap file

Added by Travis Green 6 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.3
Effort:
Difficulty:
Label:

Description

When using socket mode with pcap logging enabled, suricata exits with error when encountering pcaps with multiple link layers, preventing further processing of pcap files:

[477571] Error: log-pcap: Pcap logging with multiple link type is not supported.

running:
sudo /opt/suricata-7.0.3/src/suricata -vvv -c ./suricata.socket.yaml -k none --set stream.midstream=true --set classification-file=/opt/suricata-7.0.3/etc/classification.config --set reference-config-file=/opt/suricata-6.0.16/etc/reference.config --set threshold-file=/opt/suricata-7.0.3/threshold.config -l . -S /home/user/rules/suricata.local.rules --unix-socket

and add pcap via:
sudo suricatasc -c "pcap-file /home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/cme_query.pcap /home/user/working/test_pcaps/tests/logs/"
@sudo suricatasc -c "pcap-file /home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/evil_png_etc_passwd.pcap /home/user/working/test_pcaps/tests/logs/"

Note: it requires more than 1 pcap file add to trigger the error

Files

Download all files
build_info.txt (3.91 KB) build_info.txt Travis Green, 04/29/2024 05:25 PM
suricata.socket.yaml (83.3 KB) suricata.socket.yaml Travis Green, 04/29/2024 05:25 PM
cme_query.pcap (8.45 KB) cme_query.pcap Travis Green, 04/29/2024 05:26 PM
evil_png_etc_passwd.pcap (2.28 KB) evil_png_etc_passwd.pcap Travis Green, 04/29/2024 05:26 PM
netlink.pcap (250 KB) netlink.pcap Travis Green, 04/29/2024 05:26 PM
suricata_output.txt (15.1 KB) suricata_output.txt Travis Green, 04/29/2024 05:37 PM

No data to display

Actions
Copy link

Also available in: Atom PDF