Suricata

Not much we can say based on the message. Can you try to find the actual suricata error message and exit code?

Sure...I will run just the command line shown in the message from Cuckoo, once as my cuckoo user, and once with sudo.

AS CUCKOO USER:

$ /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap

Error opening file /var/log/suricata/suricata.log
15/12/2017 -- 13:16:23 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:16:27 - <Error> - [ERRCODE: SC_ERR_CHANGING_CAPS_FAILED(157)] - capng_change_id for main thread failed

AS SUDO:

$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap

15/12/2017 -- 13:18:00 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:18:04 - <Notice> - AFL mode starting
15/12/2017 -- 13:18:04 - <Notice> - all 5 packet processing threads, 0 management threads initialized, engine started.
15/12/2017 -- 13:18:04 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:18:04 - <Notice> - Signal Received.  Stopping engine.

Normally, suricata is run as the cuckoo user and is called from the Cuckoo processing module, I believe in cli mode. For obvious reasons I don't want to run cuckoo as a root or sudo user.

Thanks,
Jeff

Couple of things:

"AFL mode starting" is not something I'd expect to see in production anywhere. It's the fuzzing support to work with AFL. Suricata will not function normally when this is built-in.

If you start as a regular user then 'dropping privs' doesn't work. You are already a regular user. Dropping privs is for going from root to a lower priv user.

If you start as sudo, the drop privs makes suri drop privileges after start up. But it's meant for live modes, where we need privs to open a capture device. For pcap handling, just run it as a normal user w/o trying to drop privs.

OK I removed the run-as configuration option, and also the RUN_AS_USER option from /etc/default/suricata. This is the results I get now. Not sure how to disable the AFL mode starting...I will check the module, or is that something that needs to be disabled at compile time?

15/12/2017 -- 13:34:31 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:34:35 - <Notice> - AFL mode starting
15/12/2017 -- 13:34:35 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0547
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

OK I quickly recompiled and explicitly disabled AFL mode. Now it seems to work outside of Cuckoo...I need to run another analysis to see if it works from within Cuckoo. That will take about 15 minutes and then I will report back.

15/12/2017 -- 13:47:20 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:47:25 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
15/12/2017 -- 13:47:25 - <Notice> - Signal Received.  Stopping engine.
15/12/2017 -- 13:47:25 - <Notice> - Pcap-file module read 352 packets, 34710 bytes

Well that seems to have done the trick.

• AFL mode = bad.
• Drop privileges not needed.

Thanks for the help!!