Project

General

Profile

Actions

Bug #4225

closed

SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode

Added by Brandon Murphy about 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Upon the first pcap being submitted in socket mode, an error is logged

18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled

This is producible with the default configuration (with minor adjustments to account for default paths)

1. Start suricata in socket mode without Demonizing

suricata -c /tmp/socket_anomaly_error/suricata.yaml -k none -vvvv --runmode single --unix-socket=/tmp/socket_anomaly_error/suricata.sock

2. After suricata is started, use suricatasc to send the pcap

suricatasc -c "pcap-file /tmp/socket_anomaly_error/test.pcap  /tmp/socket_anomaly_error/output_logs" /tmp/socket_anomaly_error/suricata.sock 

3. Observe the error being reported by Suricata

18/12/2020 -- 02:53:49 - <Info> - Added file '/tmp/socket_anomaly_error/test.pcap' to list
18/12/2020 -- 02:53:49 - <Info> - pcap-file.tenant-id not set
18/12/2020 -- 02:53:49 - <Info> - Starting run for '/tmp/socket_anomaly_error/test.pcap'
18/12/2020 -- 02:53:49 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/12/2020 -- 02:53:49 - <Config> - preallocated 65535 defrag trackers of size 160
18/12/2020 -- 02:53:49 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432
18/12/2020 -- 02:53:49 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/12/2020 -- 02:53:49 - <Config> - stream "memcap": 67108864
18/12/2020 -- 02:53:49 - <Config> - stream "midstream" session pickups: disabled
18/12/2020 -- 02:53:49 - <Config> - stream "async-oneside": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "checksum-validation": disabled
18/12/2020 -- 02:53:49 - <Config> - stream."inline": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "bypass": disabled
18/12/2020 -- 02:53:49 - <Config> - stream "max-synack-queued": 5
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "memcap": 268435456
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "depth": 1048576
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toserver-chunk-size": 2617
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "toclient-chunk-size": 2460
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly.raw: enabled
18/12/2020 -- 02:53:49 - <Config> - stream.reassembly "segment-prealloc": 2048
18/12/2020 -- 02:53:49 - <Info> - fast output device (regular) initialized: fast.log
18/12/2020 -- 02:53:49 - <Info> - eve-log output device (regular) initialized: eve.json
18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'alert'
18/12/2020 -- 02:53:49 - <Config> - enabling 'eve-log' module 'anomaly'
18/12/2020 -- 02:53:49 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'anomaly' logger can be enabled

This is observed in 5.0.5, 6.0.1 and 7.0.0-dev (372fc2673 2020-12-11), but not 5.0.4, 6.0.0.

I believe this is in relation to PR#5258 https://github.com/OISF/suricata/pull/5258/commits/c42574169e0b3e4bca396493b21f0208ee1bc759


Related issues 3 (0 open3 closed)

Related to Suricata - Bug #4434: Duplicate alert record in eve log when using unix-socket modeClosedJason IshActions
Copied to Suricata - Bug #4469: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket modeClosedJeff LucovskyActions
Copied to Suricata - Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket modeClosedShivani BhardwajActions
Actions

Also available in: Atom PDF