Bug #1866: Fragmented unix_dgram output - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1866

closed

Fragmented unix_dgram output

Added by Jens Goldberg over 8 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

4.0beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

I am reading EVE-alerts from a Unix datagram socket. When alerts are large enough – 4096 bytes or more – they get split up into multiple datagrams, kinda destroying the point of them in the first place.

From poking around in the source, I'm guessing this is because Suricata uses fwrite to send data to the socket instead of write, which streans the data in PIPE_BUF (=4096 bytes on Linux) chunks internally.

Relevant code:
https://github.com/inliniac/suricata/blob/271bd045396b618cd52079be17ca083c4931f87e/src/util-logopenfile.c#L143

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1866

Fragmented unix_dgram output

Updated by Victor Julien about 8 years ago

Updated by Jens Goldberg almost 7 years ago

Updated by Victor Julien almost 7 years ago