Actions
Bug #2451
closedMissing Files Will Cause Pcap Thread to No Longer Run in Unix Socket Mode
Affected Versions:
Effort:
Difficulty:
Label:
Description
If a pcap file is sent to unix socket for processing that does not exist (e.g. slow i/o), the pcap thread is returning a failure, and not being restarted.
Updated by Roman Gugelhupf almost 7 years ago
perl code:
my $pcap_file = '/tmp/suri/dump.pcap'; my $pcap_store = '/tmp/suri/'; # Create socket my $server = IO::Socket::UNIX->new( Peer => $SOCKET, Type => SOCK_STREAM, Timeout => $TIMEOUT ) or die "[E] Can't connect to $SOCKET: $!"; # Only process the pcap when it actually exists! if(-e $pcap_file) { my $suricata_request->{'command'} = "pcap-file"; $suricata_request->{'arguments'} = {}; $suricata_request->{'arguments'}{'filename'} = $pcap_file; $suricata_request->{'arguments'}{'output-dir'} = $pcap_store; my $response = send_suricata($suricata_request); # ... # (some error handling) # ... my $try = 0; while(1) { print "Checking for: ". $pcap_store ."fast.log\n"; if (-e $fastlog) { print "Suricata processing finished!\n"; } else { print "Waiting for pcap to be processed ($try)\n"; $try++; } } }
Error log:
2018-02-27T14:33:19.641205+00:00 suri-ams suricata: [31230] <Info> -- Alerts: 0 2018-02-27T14:33:19.686327+00:00 suri-ams suricata: [31230] <Info> -- pcap-file.tenant-id not set 2018-02-27T14:33:19.713970+00:00 suri-ams suricata: [31230] <Info> -- fast output device (regular) initialized: fast.log 2018-02-27T14:33:19.728454+00:00 suri-ams suricata: [31230] <Info> -- tls-log output device (regular) initialized: tls.log 2018-02-27T14:33:19.728568+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead 2018-02-27T14:33:19.729061+00:00 suri-ams suricata: [31230] <Info> -- md5 calculation requires linking against libnss 2018-02-27T14:33:19.729129+00:00 suri-ams suricata: [31230] <Info> -- storing files in /tmp/suri/files 2018-02-27T14:33:19.729192+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Please use 'tls-store' in YAML to configure TLS storage 2018-02-27T14:33:19.729559+00:00 suri-ams suricata: [31230] <Info> -- storing certs in /tmp/suri/certs 2018-02-27T14:33:19.742466+00:00 suri-ams suricata: [4853] <Info> -- Checking file or directory /tmp/suri/dump.pcap 2018-02-27T14:33:19.742656+00:00 suri-ams suricata: [4853] <Error> -- [ERRCODE: SC_ERR_FOPEN(44)] - /tmp/suri/dump.pcap: Does not exist, or name is an empty string 2018-02-27T14:33:20.070135+00:00 suri-ams suricata: [31230] <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0145
Updated by Andreas Herz almost 7 years ago
Can you provide details about suricata version etc.?
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1
Actions