Project

General

Profile

Actions
Copy link

Bug #2215

closed
FD DB

Lost events writing to unix socket

Bug #2215: Lost events writing to unix socket

Added by Fanny Dwargee over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Danny Browning
Target version:
4.0.2/4.0.3
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
when using the pcap offline analysis and configured Suricata for writing eve-log events to a unix stream socket some events can be lost.

Find attached a pcap with a lot of DNS events (malware generated), first I wrote in Python a UNIX stream socket server for reading the eve log events and surprisingly some events were lost because Suricata was lot quicker writing to the socket than my code reading from it so using the "send()" primitive returned an EAGAIN error.

After that, instead of coding a C UNIX server I used the socat utility and unfortunately the same behaviour was observed.

IMHO a minimal wait would be sufficient when using a UNIX socket for eve log events.

Tested on GitHub master branch with latest commit https://github.com/inliniac/suricata/commit/499afaba4bc4624afa9e7d7e7648f9070ea5d37d

I'm going to send a PR to the GitHub repository with a new eve log option named 'unix-retry-wait' where you can set the microseconds for waiting before retry a write on a UNIX stream socket with the write queue full

Files

timeout.pcap (540 KB) timeout.pcap PCAP with a lot of DNS flows (keep care, malware generated) Fanny Dwargee, 09/20/2017 12:07 PM
Actions
Copy link

Also available in: PDF Atom