Suricata-update & suricata -T blocking when using UNIX socket for eve-log

Help
1

Good evening,

I’m deploying Suricata 8.0.3 on sensors running Ubuntu 24.04 LTS automatically using Ansible and using suricata-updateto roll out rulesets. I ran into a problem with this as the suricata testing process blocks for a very long time waiting for the UNIX domain socket for eve-log to become available. Suricata is configured to push EVE JSON to a UNIX socket:

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: unix_stream
      filename: /tmp/alert_dispatcher.sock

When running suricata-update, it tries to run suricata -T to test the new ruleset while the main Suricata process is still running. After testing, it executes sudo suricatasc -c reload-rules to signal Suricata that the ruleset should be reloaded. The testing command took a very long time, several hours, to complete. To debug this issue, I set the test-command parameter for suricata-update to suricata -T -vvvv. This command blocks on the line before I pressed ^C as shown below.

Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 1024 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:487]
Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:510]
Config: logopenfile: buffering setting ignored for unix_stream output types [SCConfLogOpenGeneric:util-logopenfile.c:590]
^CWarning: logopenfile: Error connecting to socket "/tmp/alert_dispatcher.sock": Interrupted system call (will keep trying) [SCLogOpenUnixSocketFp:util-logopenfile.c:89]

So I disabled the eve-log output by using:

suricata -T -vvvv --set outputs.1.eve-log.enabled=false

After which the testing phase continued as normal, and completed within one minute. I feel this might be a bug because it happens when using a UNIX domain socket to process logs. I use a self-made broker application that catches events from Suricata and processes them further.

What do you think, and could somebody look into this? I have a temporary workaround, but there might be a better way. :slight_smile:

Thanks in advance!

-Gijs