Project

General

Profile

Bug #4225

SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode

Added by Brandon Murphy 6 months ago. Updated about 10 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Upon the first pcap being submitted in socket mode, an error is logged

18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled

This is producible with the default configuration (with minor adjustments to account for default paths)

1. Start suricata in socket mode without Demonizing

suricata -c /tmp/socket_anomaly_error/suricata.yaml -k none -vvvv --runmode single --unix-socket=/tmp/socket_anomaly_error/suricata.sock

2. After suricata is started, use suricatasc to send the pcap

suricatasc -c "pcap-file /tmp/socket_anomaly_error/test.pcap  /tmp/socket_anomaly_error/output_logs" /tmp/socket_anomaly_error/suricata.sock 

3. Observe the error being reported by Suricata

18/12/2020 -- 02:53:49 - <Info> - Added file '/tmp/socket_anomaly_error/test.pcap' to list
18/12/2020 -- 02:53:49 - <Info> - pcap-file.tenant-id not set
18/12/2020 -- 02:53:49 - <Info> - Starting run for '/tmp/socket_anomaly_error/test.pcap'
18/12/2020 -- 02:53:49 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/12/2020 -- 02:53:49 - <Config> - preallocated 65535 defrag trackers of size 160
18/12/2020 -- 02:53:49 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432
18/12/2020 -- 02:53:49 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/12/2020 -- 02:53:49 - <Config> - stream "memcap": 67108864
18/12/2020 -- 02:53:49 - <Config> - stream "midstream" session pickups: disabled
18/12/2020 -- 02:53:49 - <Config> - stream "async-oneside": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "checksum-validation": disabled
18/12/2020 -- 02:53:49 - <Config> - stream."inline": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "bypass": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "max-synack-queued": 5
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "memcap": 268435456
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "depth": 1048576
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toserver-chunk-size": 2617
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toclient-chunk-size": 2460
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly.raw: enabled
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "segment-prealloc": 2048
18/12/2020 -- 02:53:49 - <Info> - fast output device (regular) initialized: fast.log
18/12/2020 -- 02:53:49 - <Info> - eve-log output device (regular) initialized: eve.json
18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'alert'
18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'anomaly'
18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled

This is observed in 5.0.5, 6.0.1 and 7.0.0-dev (372fc2673 2020-12-11), but not 5.0.4, 6.0.0.

I believe this is in relation to PR#5258 https://github.com/OISF/suricata/pull/5258/commits/c42574169e0b3e4bca396493b21f0208ee1bc759


Related issues

Related to Bug #4434: Duplicate alert record in eve log when using unix-socket modeClosedJason IshActions
Copied to Bug #4469: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket modeClosedJeff LucovskyActions
Copied to Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket modeClosedShivani BhardwajActions
#1

Updated by Jeff Lucovsky 6 months ago

I've been able to reproduce this issue.

The drop logger -- when configured -- will issue the same error message:

[3929025] 21/12/2020 -- 09:09:28 - (output-json-drop.c:257) <Error> (JsonDropLogInitCtxSub) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'drop' logger can be enabled

#2

Updated by David Wharton 6 months ago

I was about to report this but Brandon beat me to it.

When Suricata starts in socket mode, OutputAnomalyLoggerEnable() gets called (if anomaly logger is enabled in the yaml) which increments the anomaly_loggers counter from 0 to 1 which is the max. A socket control "pcap-file" command also results in OutputAnomalyLoggerEnable() getting called but anomaly_loggers is already at the max so the above mentioned error is raised. Upon cleanup after that error however, OutputAnomalyLoggerDisable() is called which decrements the anomaly_loggers counter which allows for subsequent "pcap-file" socket commands to succeed without error.

#3

Updated by Jason Ish 4 months ago

  • Status changed from New to In Progress
  • Assignee set to Jason Ish

Initial PR here: https://github.com/OISF/suricata/pull/5928

Older versions skipped some initialization when in unix-socket mode until a pcap-file was provided, but some of that initialization is required at startup no matter what to fix other issues, which left loggers enabled for the first pcap-file run causing these errors. However subsequent runs were OK as some deinitialization is done after each pcap run.

To fix this, I've added the same deinit routing after startup initialization so the first pcap-file gets a clean state.

#4

Updated by Jason Ish about 2 months ago

  • Target version set to 7.0rc1
  • Affected Versions 6.0.2 added
  • Label Needs backport to 5.0, Needs backport to 6.0 added
#5

Updated by Jeff Lucovsky about 2 months ago

  • Copied to Bug #4469: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode added
#6

Updated by Jeff Lucovsky about 2 months ago

  • Copied to Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode added
#7

Updated by Jason Ish about 2 months ago

  • Related to Bug #4434: Duplicate alert record in eve log when using unix-socket mode added
#8

Updated by Jason Ish about 2 months ago

  • Status changed from In Progress to Closed

Fix merged into master.

#9

Updated by Jason Ish about 10 hours ago

Fix was merged with PR https://github.com/OISF/suricata/pull/6091 as part of the fix to #4434.

Also available in: Atom PDF