https://redmine.openinfosecfoundation.org/
https://redmine.openinfosecfoundation.org/favicon.ico?1701117002
2017-12-15T10:53:02Z
Open Information Security Foundation
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9182
2017-12-15T10:53:02Z
Victor Julien
victor@inliniac.net
<ul></ul><p>Not much we can say based on the message. Can you try to find the actual suricata error message and exit code?</p>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9184
2017-12-15T13:20:51Z
Jeff Singleton
<ul></ul><p>Sure...I will run just the command line shown in the message from Cuckoo, once as my cuckoo user, and once with sudo.</p>
<p>AS CUCKOO USER:<br /><pre><code class="c syntaxhl" data-language="c"><span class="err">$</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">suricata</span> <span class="o">-</span><span class="n">c</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">suricata</span><span class="o">/</span><span class="n">suricata</span><span class="p">.</span><span class="n">yaml</span> <span class="o">-</span><span class="n">k</span> <span class="n">none</span> <span class="o">-</span><span class="n">l</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">cuckoo</span><span class="o">/</span><span class="p">.</span><span class="n">cuckoo</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">analyses</span><span class="o">/</span><span class="mi">1</span><span class="o">/</span><span class="n">suricata</span> <span class="o">-</span><span class="n">r</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">cuckoo</span><span class="o">/</span><span class="p">.</span><span class="n">cuckoo</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">analyses</span><span class="o">/</span><span class="mi">1</span><span class="o">/</span><span class="n">dump</span><span class="p">.</span><span class="n">pcap</span>
<span class="n">Error</span> <span class="n">opening</span> <span class="n">file</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">suricata</span><span class="o">/</span><span class="n">suricata</span><span class="p">.</span><span class="n">log</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">16</span><span class="o">:</span><span class="mi">23</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">This</span> <span class="n">is</span> <span class="n">Suricata</span> <span class="n">version</span> <span class="mi">4</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">3</span> <span class="n">RELEASE</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">16</span><span class="o">:</span><span class="mi">27</span> <span class="o">-</span> <span class="o"><</span><span class="n">Error</span><span class="o">></span> <span class="o">-</span> <span class="p">[</span><span class="n">ERRCODE</span><span class="o">:</span> <span class="n">SC_ERR_CHANGING_CAPS_FAILED</span><span class="p">(</span><span class="mi">157</span><span class="p">)]</span> <span class="o">-</span> <span class="n">capng_change_id</span> <span class="k">for</span> <span class="n">main</span> <span class="kr">thread</span> <span class="n">failed</span>
</code></pre></p>
<p>AS SUDO:<br /><pre><code class="c syntaxhl" data-language="c"><span class="err">$</span> <span class="n">sudo</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">suricata</span> <span class="o">-</span><span class="n">c</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">suricata</span><span class="o">/</span><span class="n">suricata</span><span class="p">.</span><span class="n">yaml</span> <span class="o">-</span><span class="n">k</span> <span class="n">none</span> <span class="o">-</span><span class="n">l</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">cuckoo</span><span class="o">/</span><span class="p">.</span><span class="n">cuckoo</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">analyses</span><span class="o">/</span><span class="mi">1</span><span class="o">/</span><span class="n">suricata</span> <span class="o">-</span><span class="n">r</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">cuckoo</span><span class="o">/</span><span class="p">.</span><span class="n">cuckoo</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">analyses</span><span class="o">/</span><span class="mi">1</span><span class="o">/</span><span class="n">dump</span><span class="p">.</span><span class="n">pcap</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mo">00</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">This</span> <span class="n">is</span> <span class="n">Suricata</span> <span class="n">version</span> <span class="mi">4</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">3</span> <span class="n">RELEASE</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mo">04</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">AFL</span> <span class="n">mode</span> <span class="n">starting</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mo">04</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">all</span> <span class="mi">5</span> <span class="n">packet</span> <span class="n">processing</span> <span class="n">threads</span><span class="p">,</span> <span class="mi">0</span> <span class="n">management</span> <span class="n">threads</span> <span class="n">initialized</span><span class="p">,</span> <span class="n">engine</span> <span class="n">started</span><span class="p">.</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mo">04</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">Pcap</span><span class="o">-</span><span class="n">file</span> <span class="n">module</span> <span class="n">read</span> <span class="mi">352</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">34710</span> <span class="n">bytes</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mo">04</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">Signal</span> <span class="n">Received</span><span class="p">.</span> <span class="n">Stopping</span> <span class="n">engine</span><span class="p">.</span>
</code></pre></p>
<p>Normally, suricata is run as the cuckoo user and is called from the Cuckoo processing module, I believe in cli mode. For obvious reasons I don't want to run cuckoo as a root or sudo user.</p>
<p>Thanks,<br />Jeff</p>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9185
2017-12-15T13:28:16Z
Victor Julien
victor@inliniac.net
<ul></ul><p>Couple of things:</p>
<p>"AFL mode starting" is not something I'd expect to see in production anywhere. It's the fuzzing support to work with AFL. Suricata will not function normally when this is built-in.</p>
<p>If you start as a regular user then 'dropping privs' doesn't work. You are already a regular user. Dropping privs is for going from root to a lower priv user.</p>
<p>If you start as sudo, the drop privs makes suri drop privileges after start up. But it's meant for live modes, where we need privs to open a capture device. For pcap handling, just run it as a normal user w/o trying to drop privs.</p>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9186
2017-12-15T13:38:36Z
Jeff Singleton
<ul></ul><p>OK I removed the run-as configuration option, and also the RUN_AS_USER option from /etc/default/suricata. This is the results I get now. Not sure how to disable the AFL mode starting...I will check the module, or is that something that needs to be disabled at compile time?</p>
<pre><code class="c syntaxhl" data-language="c"><span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">31</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">This</span> <span class="n">is</span> <span class="n">Suricata</span> <span class="n">version</span> <span class="mi">4</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">3</span> <span class="n">RELEASE</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">35</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">AFL</span> <span class="n">mode</span> <span class="n">starting</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">35</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">Pcap</span><span class="o">-</span><span class="n">file</span> <span class="n">module</span> <span class="n">read</span> <span class="mi">352</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">34710</span> <span class="n">bytes</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">35</span> <span class="o">-</span> <span class="o"><</span><span class="n">Error</span><span class="o">></span> <span class="o">-</span> <span class="p">[</span><span class="n">ERRCODE</span><span class="o">:</span> <span class="n">SC_ERR_THREAD_INIT</span><span class="p">(</span><span class="mi">49</span><span class="p">)]</span> <span class="o">-</span> <span class="kr">thread</span> <span class="s">"RX#01"</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">initialize</span><span class="o">:</span> <span class="n">flags</span> <span class="mo">0547</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">35</span> <span class="o">-</span> <span class="o"><</span><span class="n">Error</span><span class="o">></span> <span class="o">-</span> <span class="p">[</span><span class="n">ERRCODE</span><span class="o">:</span> <span class="n">SC_ERR_INITIALIZATION</span><span class="p">(</span><span class="mi">45</span><span class="p">)]</span> <span class="o">-</span> <span class="n">Engine</span> <span class="n">initialization</span> <span class="n">failed</span><span class="p">,</span> <span class="n">aborting</span><span class="p">...</span>
</code></pre>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9187
2017-12-15T13:49:35Z
Jeff Singleton
<ul></ul><p>OK I quickly recompiled and explicitly disabled AFL mode. Now it seems to work outside of Cuckoo...I need to run another analysis to see if it works from within Cuckoo. That will take about 15 minutes and then I will report back.</p>
<pre><code class="c syntaxhl" data-language="c"><span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">47</span><span class="o">:</span><span class="mi">20</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">This</span> <span class="n">is</span> <span class="n">Suricata</span> <span class="n">version</span> <span class="mi">4</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">3</span> <span class="n">RELEASE</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">47</span><span class="o">:</span><span class="mi">25</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">all</span> <span class="mi">5</span> <span class="n">packet</span> <span class="n">processing</span> <span class="n">threads</span><span class="p">,</span> <span class="mi">4</span> <span class="n">management</span> <span class="n">threads</span> <span class="n">initialized</span><span class="p">,</span> <span class="n">engine</span> <span class="n">started</span><span class="p">.</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">47</span><span class="o">:</span><span class="mi">25</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">Signal</span> <span class="n">Received</span><span class="p">.</span> <span class="n">Stopping</span> <span class="n">engine</span><span class="p">.</span>
<span class="mi">15</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">2017</span> <span class="o">--</span> <span class="mi">13</span><span class="o">:</span><span class="mi">47</span><span class="o">:</span><span class="mi">25</span> <span class="o">-</span> <span class="o"><</span><span class="n">Notice</span><span class="o">></span> <span class="o">-</span> <span class="n">Pcap</span><span class="o">-</span><span class="n">file</span> <span class="n">module</span> <span class="n">read</span> <span class="mi">352</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">34710</span> <span class="n">bytes</span>
</code></pre>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9188
2017-12-15T14:13:49Z
Jeff Singleton
<ul></ul><p>Well that seems to have done the trick.</p>
<ul>
<li>AFL mode = bad.</li>
<li>Drop privileges not needed.</li>
</ul>
<p>Thanks for the help!!</p>
Suricata - Support #2366: Suricata returned an error processing this pcap
https://redmine.openinfosecfoundation.org/issues/2366?journal_id=9189
2017-12-15T17:09:25Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Glad you got it working!</p>