From 89b656d8eed0c8ebddc960a06f0434819abdc673 Mon Sep 17 00:00:00 2001 From: Danny Browning Date: Mon, 6 Nov 2017 16:10:02 -0700 Subject: [PATCH] unix socket: don't loose events when offline https://redmine.openinfosecfoundation.org/issues/2215 Fixes issue with events being dropped since socket was non-blocking for offline run modes. Add a method for determining offline from run mode. Make sure SCInstance offline is set correctly. Use current run mode to set socket flags. --- src/runmodes.c | 14 ++++++++++++++ src/runmodes.h | 2 ++ src/suricata.c | 11 ++--------- src/suricata.h | 1 - src/util-logopenfile.c | 2 +- 5 files changed, 19 insertions(+), 11 deletions(-) diff --git a/src/runmodes.c b/src/runmodes.c index b99d3e95e9..8b5c3ef03b 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -484,6 +484,20 @@ int RunModeOutputFiledataEnabled(void) return filedata_logger_count > 0; } +bool IsRunModeOffline(int run_mode_to_check) +{ + switch(run_mode_to_check) { + case RUNMODE_PCAP_FILE: + case RUNMODE_ERF_FILE: + case RUNMODE_ENGINE_ANALYSIS: + case RUNMODE_UNIX_SOCKET: + return true; + break; + default: + return false; + } +} + /** * Cleanup the run mode. */ diff --git a/src/runmodes.h b/src/runmodes.h index 2a38fb5024..da0091e411 100644 --- a/src/runmodes.h +++ b/src/runmodes.h @@ -88,6 +88,8 @@ void RunModeShutDown(void); int RunModeOutputFileEnabled(void); /* bool indicating if filedata logger is enabled */ int RunModeOutputFiledataEnabled(void); +/** bool indicating if run mode is offline */ +bool IsRunModeOffline(int run_mode_to_check); #include "runmode-pcap.h" #include "runmode-pcap-file.h" diff --git a/src/suricata.c b/src/suricata.c index c85c8eb864..d73492129e 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -203,9 +203,6 @@ volatile uint8_t suricata_ctl_flags = 0; /** Run mode selected */ int run_mode = RUNMODE_UNKNOWN; -/** Is this an offline run mode. */ -int run_mode_offline = 0; - /** Engine mode: inline (ENGINE_MODE_IPS) or just * detection mode (ENGINE_MODE_IDS by default) */ static enum EngineMode g_engine_mode = ENGINE_MODE_IDS; @@ -2108,6 +2105,8 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri) if (engine_analysis) suri->run_mode = RUNMODE_ENGINE_ANALYSIS; + suri->offline = IsRunModeOffline(suri->run_mode); + ret = SetBpfString(optind, argv); if (ret != TM_ECODE_OK) return ret; @@ -2373,11 +2372,6 @@ static int StartInternalRunMode(SCInstance *suri, int argc, char **argv) static int FinalizeRunMode(SCInstance *suri, char **argv) { switch (suri->run_mode) { - case RUNMODE_PCAP_FILE: - case RUNMODE_ERF_FILE: - case RUNMODE_ENGINE_ANALYSIS: - suri->offline = 1; - break; case RUNMODE_UNKNOWN: PrintUsage(argv[0]); return TM_ECODE_FAILED; @@ -2386,7 +2380,6 @@ static int FinalizeRunMode(SCInstance *suri, char **argv) } /* Set the global run mode and offline flag. */ run_mode = suri->run_mode; - run_mode_offline = suri->offline; if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) { return TM_ECODE_FAILED; diff --git a/src/suricata.h b/src/suricata.h index dcb54b67fa..cc38f5507b 100644 --- a/src/suricata.h +++ b/src/suricata.h @@ -194,7 +194,6 @@ int RunmodeGetCurrent(void); int IsRuleReloadSet(int quiet); extern int run_mode; -extern int run_mode_offline; void PreRunInit(const int runmode); void PreRunPostPrivsDropInit(const int runmode); diff --git a/src/util-logopenfile.c b/src/util-logopenfile.c index 9424ac3575..d9b1cc4e0a 100644 --- a/src/util-logopenfile.c +++ b/src/util-logopenfile.c @@ -526,7 +526,7 @@ SCConfLogOpenGeneric(ConfNode *conf, #ifdef BUILD_WITH_UNIXSOCKET /* If a socket and running live, do non-blocking writes. */ - if (log_ctx->is_sock && run_mode_offline == 0) { + if (log_ctx->is_sock && !IsRunModeOffline(RunmodeGetCurrent())) { SCLogInfo("Setting logging socket of non-blocking in live mode."); log_ctx->send_flags |= MSG_DONTWAIT; } -- 2.47.2