Bug #2662: unix socket - memcap read/set showing unlimited where there are limited values configured by default - Suricata - Open Information Security Foundation

Actions

Copy link

#1

Updated by Victor Julien over 5 years ago

Assignee set to Giuseppe Longo

Giuseppe, I think you wrote this feature. Could you check this out? Thanks!

Actions

Copy link

#2

Updated by Giuseppe Longo over 5 years ago

Yes sure.

Actions

Copy link

#3

Updated by Giuseppe Longo over 5 years ago

Not able to reproduce the issue with the default config.

This is Suricata version 4.1.0-dev (rev 787473ec6)

>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "64mb" 
    },
    {
        "name": "stream-reassembly",
        "value": "256mb" 
    },
    {
        "name": "flow",
        "value": "128mb" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "32mb" 
    },
    {
        "name": "ippair",
        "value": "16mb" 
    },
    {
        "name": "host",
        "value": "32mb" 
    }
]
>>> memcap-show stream
Success:
{
    "value": "64mb" 
}
>>>

# ./bin/suricata --dump-config | grep -i "memcap" 
defrag.memcap = 32mb
flow.memcap = 128mb
stream.memcap = 64mb
stream.reassembly.memcap = 256mb
host.memcap = 32mb

Actions

Copy link

#4

Updated by Peter Manev over 5 years ago

It actually happens when there is no config present if installed in a non default location:


pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricatasc /opt/suritest/var/run/suricata/suricata-command.socket 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, pcap-file, pcap-file-continuous, pcap-file-number, pcap-file-list, pcap-last-processed, pcap-interrupt, pcap-current, quit
>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "unlimited" 
    },
    {
        "name": "stream-reassembly",
        "value": "unlimited" 
    },
    {
        "name": "flow",
        "value": "unlimited" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "unlimited" 
    },
    {
        "name": "ippair",
        "value": "unlimited" 
    },
    {
        "name": "host",
        "value": "16mb" 
    }
]
>>> quit
[+] Quit command client
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricata -V
This is Suricata version 4.1.0-dev (rev 787473ec)
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ 

pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$ sudo /opt/suritest/bin/suricata -T
[12959] 20/11/2018 -- 09:45:59 - (suricata.c:1895) <Info> (ParseCommandLine) -- Running suricata under test mode
[12959] 20/11/2018 -- 09:45:59 - (conf-yaml-loader.c:430) <Error> (ConfYamlLoadFile) -- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /opt/suritest/etc/suricata//suricata.yaml: No such file or directory
pevma@DonPedro:~/Work/Suricata/suricomp/suricata (master)$

Actions

Copy link

#5

Updated by Victor Julien about 5 years ago

Status changed from New to Assigned
Target version set to 5.0beta1

Actions

Copy link

#6

Updated by Victor Julien about 5 years ago

Target version changed from 5.0beta1 to 5.0rc1

Actions

Copy link

#7

Updated by Andreas Herz over 4 years ago

I can't reproduce it, can you share the exact details peter?

Actions

Copy link

#8

Updated by Peter Manev over 4 years ago

Status changed from Assigned to Closed

I can't reproduce it any longer with latest master too.

 sudo /opt/suritest/bin/suricatasc /opt/suritest/var/run/suricata/suricata-command.socket 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>> memcap-list
Success:
[
    {
        "name": "stream",
        "value": "64mb" 
    },
    {
        "name": "stream-reassembly",
        "value": "256mb" 
    },
    {
        "name": "flow",
        "value": "128mb" 
    },
    {
        "name": "applayer-proto-http",
        "value": "unlimited" 
    },
    {
        "name": "defrag",
        "value": "32mb" 
    },
    {
        "name": "ippair",
        "value": "16mb" 
    },
    {
        "name": "host",
        "value": "32mb" 
    }
]
>>>

Project

General

Profile

Suricata

Custom queries

Bug #2662

unix socket - memcap read/set showing unlimited where there are limited values configured by default

Updated by Victor Julien over 5 years ago

Updated by Giuseppe Longo over 5 years ago

Updated by Giuseppe Longo over 5 years ago

Updated by Peter Manev over 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Andreas Herz over 4 years ago

Updated by Peter Manev over 4 years ago