Project

General

Profile

Actions
Copy link

Bug #3986

open

suricata -r not working for sshfs-mounted folder but working for sshfs-mounted file

Added by Peter Pan over 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
5.0.3
Effort:
Difficulty:
Label:

Description

OS: CentOS Linux 8 (Core)
Suricata version: 5.0.3 RELEASE

To replicate the bug:

Mount sshfs folder

$ sudo su
# cat /etc/fuse.conf
user_allow_other
# sshfs -o allow_other p@192.168.1.10:/ /mnt/test/
p@192.168.1.10's password: password
# ls -l /mnt/test/home/p/pcaps
total 8376
-rw-r--r--. 1 snuser snuser 8573977 Sep 25 16:27 test.pcap

suricata -r sshfs_mounted_folder not working

# suricata -v -c /etc/suricata/suricata.yaml -l /var/log/suricata/ -r /mnt/test/home/p/pcaps/
...
25/9/2020 -- 17:46:57 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
25/9/2020 -- 17:46:57 - <Info> - Starting directory run for /mnt/test/home/p/pcaps/
25/9/2020 -- 17:46:57 - <Info> - Processing pcaps directory /mnt/test/home/p/pcaps/, files must be newer than 0 and older than 18446744073709550616
25/9/2020 -- 17:46:57 - <Info> - Directory run mode complete
25/9/2020 -- 17:46:57 - <Notice> - Signal Received.  Stopping engine.
25/9/2020 -- 17:46:57 - <Info> - time elapsed 0.040s
25/9/2020 -- 17:46:57 - <Notice> - Pcap-file module read 0 files, 0 packets, 0 bytes
...

suricata -r sshfs_mounted_file working

# suricata -v -c /etc/suricata/suricata.yaml -l /var/log/suricata/ -r /mnt/test/home/p/pcaps/test.pcap
...
25/9/2020 -- 17:47:43 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
25/9/2020 -- 17:47:43 - <Info> - Starting file run for /mnt/test/home/p/pcaps/test.pcap
25/9/2020 -- 17:47:43 - <Info> - pcap file /mnt/test/home/p/pcaps/test.pcap end of file reached (pcap err code 0)
25/9/2020 -- 17:47:43 - <Notice> - Signal Received.  Stopping engine.
25/9/2020 -- 17:47:43 - <Info> - time elapsed 0.408s
25/9/2020 -- 17:47:43 - <Notice> - Pcap-file module read 1 files, 10464 packets, 8406529 bytes
...

Actions
Copy link
 #1

Updated by Peter Pan over 3 years ago

OS: CentOS Linux 8 (Core)
Suricata version: 5.0.3 RELEASE

To replicate the bug:

Mount sshfs folder

$ sudo su
# cat /etc/fuse.conf
user_allow_other
# sshfs -o allow_other p@192.168.1.10:/ /mnt/test/
p@192.168.1.10's password: password
# ls -l /mnt/test/home/p/pcaps
total 8376
-rw-r--r--. 1 p p 8573977 Sep 25 16:27 test.pcap

suricata -r sshfs_mounted_folder not working

# suricata -v -c /etc/suricata/suricata.yaml -l /var/log/suricata/ -r /mnt/test/home/p/pcaps/
...
25/9/2020 -- 17:46:57 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
25/9/2020 -- 17:46:57 - <Info> - Starting directory run for /mnt/test/home/p/pcaps/
25/9/2020 -- 17:46:57 - <Info> - Processing pcaps directory /mnt/test/home/p/pcaps/, files must be newer than 0 and older than 18446744073709550616
25/9/2020 -- 17:46:57 - <Info> - Directory run mode complete
25/9/2020 -- 17:46:57 - <Notice> - Signal Received.  Stopping engine.
25/9/2020 -- 17:46:57 - <Info> - time elapsed 0.040s
25/9/2020 -- 17:46:57 - <Notice> - Pcap-file module read 0 files, 0 packets, 0 bytes
...

suricata -r sshfs_mounted_file working

# suricata -v -c /etc/suricata/suricata.yaml -l /var/log/suricata/ -r /mnt/test/home/p/pcaps/test.pcap
...
25/9/2020 -- 17:47:43 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
25/9/2020 -- 17:47:43 - <Info> - Starting file run for /mnt/test/home/p/pcaps/test.pcap
25/9/2020 -- 17:47:43 - <Info> - pcap file /mnt/test/home/p/pcaps/test.pcap end of file reached (pcap err code 0)
25/9/2020 -- 17:47:43 - <Notice> - Signal Received.  Stopping engine.
25/9/2020 -- 17:47:43 - <Info> - time elapsed 0.408s
25/9/2020 -- 17:47:43 - <Notice> - Pcap-file module read 1 files, 10464 packets, 8406529 bytes
...

Actions
Copy link
 #2

Updated by Jason Ish over 3 years ago

Confirmed and can reproduce. Not exactly sure why though.

Actions
Copy link
 #3

Updated by Peter Pan over 3 years ago

Jason Ish wrote in #note-2:

Confirmed and can reproduce. Not exactly sure why though.

.
Could it be due to the way folders are being read? or symbolic links? Refer to #3990?

Actions
Copy link
 #4

Updated by S F over 1 year ago

Peter Pan wrote in #note-3:

Jason Ish wrote in #note-2:

Confirmed and can reproduce. Not exactly sure why though.

.
Could it be due to the way folders are being read? or symbolic links? Refer to #3990?

This is due to readdir returns DT_UNKNOWN for the d_type:
https://github.com/OISF/suricata/blob/suricata-6.0.6/src/source-pcap-file-directory-helper.c#L320

It looks like the possible solutions are either not to do the short-cut based on the d_type returned or to implement a second check as suggested in [1] when DT_UNKNOWN is returned.

[1] https://stackoverflow.com/questions/48055366/why-does-dirent-h-not-work-on-sshfs-drives

Actions
Copy link

Also available in: Atom PDF