Bug #2451


Missing Files Will Cause Pcap Thread to No Longer Run in Unix Socket Mode

Added by Danny Browning over 4 years ago. Updated over 4 years ago.

Target version:
Affected Versions:


If a pcap file is sent to unix socket for processing that does not exist (e.g. slow i/o), the pcap thread is returning a failure, and not being restarted.

Actions #1

Updated by Roman Gugelhupf over 4 years ago

perl code:

my $pcap_file = '/tmp/suri/dump.pcap';
my $pcap_store = '/tmp/suri/';

# Create socket
my $server = IO::Socket::UNIX->new( Peer    => $SOCKET,
     Type    => SOCK_STREAM,
     Timeout => $TIMEOUT
) or die "[E] Can't connect to $SOCKET: $!";

# Only process the pcap when it actually exists!
if(-e $pcap_file) {
 my $suricata_request->{'command'} = "pcap-file";
 $suricata_request->{'arguments'} = {};
 $suricata_request->{'arguments'}{'filename'}   = $pcap_file;
 $suricata_request->{'arguments'}{'output-dir'} = $pcap_store;
 my $response = send_suricata($suricata_request);
 # ...
 # (some error handling)
 # ...
 my $try = 0;
 while(1) {
  print "Checking for: ". $pcap_store ."fast.log\n";
  if (-e $fastlog) {
   print "Suricata processing finished!\n";
  else {
    print "Waiting for pcap to be processed ($try)\n";

Error log:

2018-02-27T14:33:19.641205+00:00 suri-ams suricata: [31230] <Info> -- Alerts: 0
2018-02-27T14:33:19.686327+00:00 suri-ams suricata: [31230] <Info> -- pcap-file.tenant-id not set
2018-02-27T14:33:19.713970+00:00 suri-ams suricata: [31230] <Info> -- fast output device (regular) initialized: fast.log
2018-02-27T14:33:19.728454+00:00 suri-ams suricata: [31230] <Info> -- tls-log output device (regular) initialized: tls.log
2018-02-27T14:33:19.728568+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead
2018-02-27T14:33:19.729061+00:00 suri-ams suricata: [31230] <Info> -- md5 calculation requires linking against libnss
2018-02-27T14:33:19.729129+00:00 suri-ams suricata: [31230] <Info> -- storing files in /tmp/suri/files
2018-02-27T14:33:19.729192+00:00 suri-ams suricata: [31230] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Please use 'tls-store' in YAML to configure TLS storage
2018-02-27T14:33:19.729559+00:00 suri-ams suricata: [31230] <Info> -- storing certs in /tmp/suri/certs
2018-02-27T14:33:19.742466+00:00 suri-ams suricata: [4853] <Info> -- Checking file or directory /tmp/suri/dump.pcap
2018-02-27T14:33:19.742656+00:00 suri-ams suricata: [4853] <Error> -- [ERRCODE: SC_ERR_FOPEN(44)] - /tmp/suri/dump.pcap: Does not exist, or name is an empty string
2018-02-27T14:33:20.070135+00:00 suri-ams suricata: [31230] <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0145

Actions #2

Updated by Andreas Herz over 4 years ago

  • Target version set to TBD
Actions #3

Updated by Andreas Herz over 4 years ago

Can you provide details about suricata version etc.?

Actions #4

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1beta1

Also available in: Atom PDF