Description of problem: After 3 weeks of uptime suricata runs into fail state. Version-Release number of selected component (if applicable): suricata-4.0.5-1.fc28 How reproducible: Always after some weeks uptime. Steps to Reproduce: 1. Install, enable and start suricata service 2. Wait some weeks (no reboot) 3. Actual results: suricata[2589]: 19/8/2018 -- 03:25:02 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't create a AF_PACKET socket, error Too many open files Expected results: No erors. Additional info:
Could you share your suricata.yaml config? Also could you provide an lsof output for the suricata process when it starts generating the error indicated above? Thanks! JT
Thanks for the report and thanks sgrubb for reporting. According to the suricata devs this issue should be fixed with: https://github.com/OISF/suricata/pull/3463 JT
The question is should we patch that up or will there be a new release soonish?
I didn't get a chance to about a bugfix release, I will tomorrow. If no release is imiment, I'm for a patch and new build. JT
Well, as stated in the initial report, it takes weeks. I will of course provide the required information when it occurs again.Please stay patient. As far as my configuration file is concerned, it corresponds to what is configured by default after the installation. I did not edit it. Hope this helps.
Understood, whenever you are able. It appears the devs were able to track it down but if we could get any additional information to ensure a proper fix. Thanks in advance! JT
Word back about a bugfix release is that, yes there will be one but the timeframe is unknown. That being the case, do you want to do local patch Steve? JT
Looks like this was fixed in suricata-4.0.6. I'm going to close this out since that was pushed out back in December. If there is still a problem, feel free to re-open the bug report. Thanks.