Project

General

Profile

Actions
Copy link

Bug #2254

closed

StatsLogSummary has incorrect alerts count when running in pcap file mode

Added by Danny Browning over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Reproducible by running with '-r' option or using unix socket 'pcap-file' command.

[3587] 30/10/2017 -- 10:24:13 - (source-pcap-file.c:951) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 150 packets, 99308 bytes
[775] 30/10/2017 -- 10:24:13 - (counters.c:821) <Info> (StatsLogSummary) -- Alerts: 0

> socat UNIX-LISTEN:/tmp/suricata.alerts.socket -
{"timestamp":"2014-12-04T12:32:08.433032-0700","flow_id":989924307757477,"pcap_cnt":18,"event_type":"alert"

Using master branch as of 10/30

commit 749fa014d13d46a1a3f9882744c650321e209a23
Author: Jason Ish <ish@unx.ca>
Date:   Tue Oct 24 16:34:00 2017 -0600

Built on Mac OSX

Suricata Configuration:
  AF_PACKET support:                       no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          no
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       no
  Libnet support:                          yes
  Inotify support:                         no

  Rust support (experimental):             no
  Experimental Rust parsers:               no
  Rust strict mode:                        no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var

  Host:                                    x86_64-apple-darwin16.7.0
  Compiler:                                gcc (exec name) / clang (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -DOS_DARWIN -march=native
  PCAP_CFLAGS                               -I/usr/local/include
  SECCFLAGS
Actions
Copy link
 #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Victor Julien over 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

It works correctly for me with both the commandline and the unix socket. Please reopen if you still see this.

Actions
Copy link

Also available in: Atom PDF