[Oisf-users] Suricata Error on Rule Reload

Eric Urban eurban at umn.edu
Fri Apr 26 18:06:04 UTC 2019

We are currently testing Suricata 4.1.3.  Whenever we perform a rule
reload, we get the error SC_ERR_PCAP_DISPATCH with an error code of -2.
Here is the output from suricata.log:

code -2 "}}
up signature grouping structure... complete"}}
reload complete"}}

We do not get this error in 4.0.6.  I am not sure at this point whether
this is a non-issue or if it does in fact affect alerting?

I believe this error is coming from source-pcap.c on line 269 (
since we aren't loading a pcap file in this case and that is mostly where
else this error is thrown.

There is a pcap_dispatch call above this one (line 265) and the conditional
on line 267 to enter the trigger for this error checks that the return from
pcap_dispatch is < 0.  The PCAP_ERROR_BREAK (-2) code would be handled on
line 272 once inside of here. There is a pcap_breakloop() call (line 226)
inside PcapCallbackLoop which is called on line 266, but I believe this may
be the result of the change for 4.1.3  in
ReceivePcapBreakLoop was created for PktAcqBreakLoop.  So possibly in
tm-threads.c at

Does this seem right or am I on the wrong track?  If that is how the error
occurs, then I believe we would be losing a half second (at least) of
traffic visibility due to the reconnect on line 277 of source-pcap.c.

I am curious if anyone else using pcap capture method running 4.1.3 or
other versions has experienced this?

Eric Urban
University Information Security | Office of Information Technology |
University of Minnesota | umn.edu
eurban at umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190426/e91363c7/attachment-0001.html>

More information about the Oisf-users mailing list