[Oisf-users] Suricata Error on Rule Reload

Eric Urban eurban at umn.edu
Fri Apr 26 18:06:04 UTC 2019


We are currently testing Suricata 4.1.3.  Whenever we perform a rule
reload, we get the error SC_ERR_PCAP_DISPATCH with an error code of -2.
Here is the output from suricata.log:

{"timestamp":"2019-04-26T10:07:54.238852-0500","log_level":"Error","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"error
code -2 "}}
{"timestamp":"2019-04-26T10:07:54.664296-0500","log_level":"Info","event_type":"engine","engine":{"message":"cleaning
up signature grouping structure... complete"}}
{"timestamp":"2019-04-26T10:07:54.665821-0500","log_level":"Notice","event_type":"engine","engine":{"message":"rule
reload complete"}}

We do not get this error in 4.0.6.  I am not sure at this point whether
this is a non-issue or if it does in fact affect alerting?

I believe this error is coming from source-pcap.c on line 269 (
https://github.com/OISF/suricata/blob/7f38ffc8bcfa3bca793eb3be41f112634b48de2a/src/source-pcap.c#L269),
since we aren't loading a pcap file in this case and that is mostly where
else this error is thrown.

There is a pcap_dispatch call above this one (line 265) and the conditional
on line 267 to enter the trigger for this error checks that the return from
pcap_dispatch is < 0.  The PCAP_ERROR_BREAK (-2) code would be handled on
line 272 once inside of here. There is a pcap_breakloop() call (line 226)
inside PcapCallbackLoop which is called on line 266, but I believe this may
be the result of the change for 4.1.3  in
https://github.com/OISF/suricata/commit/bb26e6216e5190d841529c0ecb1292b9a358ed54#diff-2079412a59d37868318fc953aeddef52
where
ReceivePcapBreakLoop was created for PktAcqBreakLoop.  So possibly in
tm-threads.c at
https://github.com/OISF/suricata/blob/d6903e70c1b653984ca95f8808755efbc6a9ece4/src/tm-threads.c#L1610
?

Does this seem right or am I on the wrong track?  If that is how the error
occurs, then I believe we would be losing a half second (at least) of
traffic visibility due to the reconnect on line 277 of source-pcap.c.

I am curious if anyone else using pcap capture method running 4.1.3 or
other versions has experienced this?

-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190426/e91363c7/attachment-0001.html>


More information about the Oisf-users mailing list