Project

General

Profile

Actions
Copy link

Bug #4434

closed

Duplicate alert record in eve log when using unix-socket mode

Added by Sergei Koniukhov about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-beta1
Affected Versions:
6.0.2
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

When using unix-socket mode I see two things:
1. first alert record in eve log is produces twice,
2. unexpected write into the default-log-dir takes place.

Configuration files and pcap file are placed in the attachment (taken from https://github.com/OISF/suricata-verify/tree/master/tests/alert-testmyids).

My research ended up with the following:
1. Two instances of `OutputPacketLogger` are inserted into global index because of `RunModeInitializeOutputs()` is called twice in unix-socket mode.
2. Such a behavior was introduced with the commit https://github.com/OISF/suricata/commit/ea15282f47c6ff781533e3a063f9c903dd6f1afb.
3. There is a corresponding bug in the issues tracker (https://redmine.openinfosecfoundation.org/issues/4225).

Files

scenario.zip (3.25 KB) scenario.zip Sergei Koniukhov, 04/19/2021 11:26 AM

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #4225: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket modeClosedJason IshActions
Copied to Suricata - Bug #4471: Duplicate alert record in eve log when using unix-socket modeClosedShivani BhardwajActions
Actions
Copy link
 #1

Updated by Sergei Koniukhov about 3 years ago

4. And there's PR https://github.com/OISF/suricata/pull/5928, with possible solution. But if unconditionally initialize outputs, the log file at default-log-dir will be created even if we write into it nothing (which is the case of unix-socket mode).

Commands to reproduce:
suricata --set runmode=single -c suricata.yaml --unix-socket=/tmp/suricata_uds
and
suricatasc /tmp/suricata_uds
>>> pcap-file input.pcap unix

Actions
Copy link
 #2

Updated by Corey Thomas about 3 years ago

Can confirm that 6.0.2 and latest both have a duplicate alert(s) in eve.json when using unix-socket to read the supplied input.pcap.

Reading -r input.pcap only outputs one alert.

Actions
Copy link
 #3

Updated by Jason Ish about 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish

Will take a look at this.

Actions
Copy link
 #4

Updated by Jason Ish almost 3 years ago

  • Target version set to 7.0.0-beta1
  • Label Needs backport to 6.0 added

Confirmed that existing PR fixes the duplicate logging issue. However, the default-log-directory is still initialized, which I think is better solved as a lower priority issue.

PR: https://github.com/OISF/suricata/pull/6091

Actions
Copy link
 #5

Updated by Jeff Lucovsky almost 3 years ago

  • Copied to Bug #4471: Duplicate alert record in eve log when using unix-socket mode added
Actions
Copy link
 #6

Updated by Jason Ish almost 3 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #7

Updated by Corey Thomas almost 3 years ago

Looks like that PR generates a single alert for `input.pcap`.

Actions
Copy link
 #8

Updated by Jason Ish almost 3 years ago

  • Related to Bug #4225: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode added
Actions
Copy link
 #9

Updated by Jason Ish almost 3 years ago

  • Status changed from In Review to Closed

Fix merge into master.

Actions
Copy link

Also available in: Atom PDF