Bug #1959
closedSuricata unix socket runs with runmode: autofp when runmode configuration parameter is omitted
Description
Whenever you don't set a runmode in the yaml file (or setting runmode: auto) suricata will correctly start runmode unix socket in single mode, but it will then start a single run of a pcap (via RunModeDispatch call, runmode-unix-socket.c:391) using the default runmode for pcap-file, which is autofp.
This will potentially lead to a race condition where a detection thread will hang waiting for another packet while every other thread will shut down.
Furthermore, the behavior is inconsistent with the declaration of --list-runmodes.
Possible fixes:
- use ConfSetFinal in RunModeUnixSocketSingle before registering the background task in order to force the runmode to be set to single
- change function RunModeDispatch in order to add a parameter "run_via_unix_socket"
- add a check in RunModeDispatch, checking the value of RunModeUnixSocketIsActive before actually choosing the runmode (and in case forcing it to single mode)
Updated by Victor Julien over 7 years ago
AFAICS the goal is to run as 'autofp' in unix socket mode.
Updated by Andreas Herz almost 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien over 6 years ago
- Status changed from New to Closed
- Assignee changed from Anonymous to Victor Julien
- Target version changed from TBD to 4.0beta1
https://github.com/inliniac/suricata/pull/2729 unifies the runmode handling and improves output.