Support #2366
closedSuricata returned an error processing this pcap
Description
Does anyone here use Suricata with Cuckoo Sandbox?
Has anyone encountered the below Warning from Suricata before?
2017-12-15 10:43:22,201 [cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Suricata returned an error processing this pcap: Command '['/usr/bin/suricata', '-c', '/etc/suricata/suricata.yaml', '-k', 'none', '-l', '/home/cuckoo/.cuckoo/storage/analyses/2/suricata', '-r', '/home/cuckoo/.cuckoo/storage/analyses/2/dump.pcap']' returned non-zero exit status 1
Updated by Victor Julien about 7 years ago
Not much we can say based on the message. Can you try to find the actual suricata error message and exit code?
Updated by Jeff Singleton about 7 years ago
Sure...I will run just the command line shown in the message from Cuckoo, once as my cuckoo user, and once with sudo.
AS CUCKOO USER:
$ /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap
Error opening file /var/log/suricata/suricata.log
15/12/2017 -- 13:16:23 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:16:27 - <Error> - [ERRCODE: SC_ERR_CHANGING_CAPS_FAILED(157)] - capng_change_id for main thread failed
AS SUDO:
$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap
15/12/2017 -- 13:18:00 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:18:04 - <Notice> - AFL mode starting
15/12/2017 -- 13:18:04 - <Notice> - all 5 packet processing threads, 0 management threads initialized, engine started.
15/12/2017 -- 13:18:04 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:18:04 - <Notice> - Signal Received. Stopping engine.
Normally, suricata is run as the cuckoo user and is called from the Cuckoo processing module, I believe in cli mode. For obvious reasons I don't want to run cuckoo as a root or sudo user.
Thanks,
Jeff
Updated by Victor Julien about 7 years ago
Couple of things:
"AFL mode starting" is not something I'd expect to see in production anywhere. It's the fuzzing support to work with AFL. Suricata will not function normally when this is built-in.
If you start as a regular user then 'dropping privs' doesn't work. You are already a regular user. Dropping privs is for going from root to a lower priv user.
If you start as sudo, the drop privs makes suri drop privileges after start up. But it's meant for live modes, where we need privs to open a capture device. For pcap handling, just run it as a normal user w/o trying to drop privs.
Updated by Jeff Singleton about 7 years ago
OK I removed the run-as configuration option, and also the RUN_AS_USER option from /etc/default/suricata. This is the results I get now. Not sure how to disable the AFL mode starting...I will check the module, or is that something that needs to be disabled at compile time?
15/12/2017 -- 13:34:31 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:34:35 - <Notice> - AFL mode starting
15/12/2017 -- 13:34:35 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0547
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
Updated by Jeff Singleton about 7 years ago
OK I quickly recompiled and explicitly disabled AFL mode. Now it seems to work outside of Cuckoo...I need to run another analysis to see if it works from within Cuckoo. That will take about 15 minutes and then I will report back.
15/12/2017 -- 13:47:20 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:47:25 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
15/12/2017 -- 13:47:25 - <Notice> - Signal Received. Stopping engine.
15/12/2017 -- 13:47:25 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
Updated by Jeff Singleton about 7 years ago
Well that seems to have done the trick.
- AFL mode = bad.
- Drop privileges not needed.
Thanks for the help!!
Updated by Victor Julien about 7 years ago
- Status changed from New to Closed
Glad you got it working!