Suricata starts scanning the folder, but after a couple of seconds it crashes with the following message:
Error: threads: thread “FM#01” failed to start in time: flags 0003 [TmThreadWaitOnThreadRunning:tm-threads.c:1830]
I’m running Ubuntu 22.04 and I’ve tried both version 7.0.2 from Ubuntu repositories and version 8.0.0-dev compiled from source, but the result it’s the same. If I remove the --pcap-file-continuous option from the command, Suricata scans the directory once, evaluates the pcaps inside that dir and exits without any error, so I think that the problem could be related to that option.
The only workaround I foud so far is to make a cronjob to schedule Suricata to perform a single scan of the pcap folder, but I would like to have a more reliable solution.
and, indeed, on Suri 7.0.2, I get the same result:
Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604840362 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604845362 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604850363 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Error: threads: thread "FM#01" failed to start in time: flags 0003 [TmThreadWaitOnThreadRunning:tm-threads.c:1832]
I’ll let others make the judgement but indeed it looks like a bug that we’ll need to take care of.
Thanks for reporting that.
After that, I used suricatasc to connect to the Unix socket and I sent the command:
pcap-file-continuous /home/st5/pcaps .
Suricata then started polling the directory for pcap files without crashing. Hence, I think that the problem could be related to the bootstrap procedure when using the –pcap-file-continuous parameter.
Hope that this can help in finding a solution to a possible bug.