SoolRecordReader stop working

[someone77]

Hi, We are using SoolRecordReader to reading unified2 in follow mode (watch on snort output unified2 folder). The code stoped read unified2 files without exceptions and its happen ones in a couple of days. Snort continues writes unified2 and it seems working well.

Example code:

from idstools import unified2
import os 

class Unified2Parser:        
    def record_reader(self):
        reader = unified2.SpoolRecordReader(directory="/tmp/snort_unified2_output",
                                            prefix="snort",
                                            rollover_hook=self.unified2_rullover_hook,
                                            follow=True)
        
        
        while True:
            record = reader.next()
            if record:
                self.handle_unified2_record(record=record)

    def handle_unified2_record(self, record):
        """
        This fuch will be parse unified2 record 
        :param record: 
        :return: 
        """
        print(record)

    def unified2_rullover_hook(self, closed, opened):
        """

        :param closed: 
        :param opened: 
        :return: 
        """
        self.current_unified2_file = opened
        os.remove(path=closed)
        
        
unified_parser = Unified2Parser()
unified_parser.record_reader()

Other details:

Python version 2.7 idstools version 0.6.3 Run on Docker container - Ubuntu Server 16.04

We are would be grateful to any assistance.

Thanks!

[jasonish]

I can't see any reason in the code that this would exit. Have you run this minimal version and seen it exit? If a loop like this is running in a thread, maybe the exception is being swalloed somewhere.

I'd wrap reader.next() in a try/except, as there are a variety of reasons it could throw an exception.

The latest version of Snort records are not all supported, and this is a common reason for an exception to be thrown here.

[someone77]

Thanks! The Snort version is 2.9.11.1. it can be a problem?