Suricata

(Apologies for my inconclusive previous msg - pressed enter by mistake too fast when reporting the bug)

Using - Suricata 4.0dev (rev 7539973)

I have narrowed done a reproducible case where unix-socket will kill the engine because it is not able to disable a detection thread:

(flow-manager.c:182) <Error> (FlowDisableFlowManagerThread) -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "FM#01".  Killing engine

by doing so actually - it renders the whole unix-socket operation unusable as opposed to just flushing out that particular run.

To reproduce:
1- start Suricata in --unix-socket mode with the provided ruleset
2- send the pcap for processing (ex):

suricatasc /var/run/suricata/someus.socket -c "pcap-file /path/to/pcap.pcap /path/to/logs/" 

Observed in my case -
Suricata will render high CPU utilization(100%) on 3-4 CPUs and use 6G RAM. After a while it will render the msg above and kill the engine.

This is only reproducible with unix-socket. I tried to read (-r) the pcap - no issues.

pcap and rules shared privately.

https://github.com/inliniac/suricata/pull/2680 addresses the slow down

https://github.com/inliniac/suricata/pull/2680 (which is included in the latest git master) fixes the issue it seems as it is observed no longer over numerous test runs.

Whoops wrong ticket.