Project

General

Profile

Actions

Bug #2968

closed

windows: suricata calling pcap_dump_fopen

Added by Peter Manev over 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

As reported on the user list , I can confirm on windows 10 we are getting the error "can not find pcap_dump_open" on suricata start using the MSI.
I can reproduce it on Windows 10 but not on Windows 2016 server.


Files

npcap.PNG (6.09 KB) npcap.PNG Thomas Drebert, 05/08/2019 07:10 AM
suricata01.PNG (19.7 KB) suricata01.PNG Thomas Drebert, 05/08/2019 07:10 AM
npcap.PNG (6.09 KB) npcap.PNG Thomas Drebert, 05/16/2019 05:49 PM
files_copy.PNG (59.4 KB) files_copy.PNG Thomas Drebert, 05/16/2019 05:49 PM

Related issues 2 (0 open2 closed)

Has duplicate Suricata - Bug #3010: Suricata doesn't start on Windows 10 64 bitClosedActions
Has duplicate Suricata - Bug #3024: Suricata doesn't start on Windows 10 64 bitClosedActions

Updated by Thomas Drebert over 5 years ago

Here 2 screenshots.

Actions #2

Updated by Peter Manev over 5 years ago

@ Thomas - can you try to confirm the following :
1 - uninstall the Suricata msi
2 - uninstall the current npcap version you have and install this one https://nmap.org/npcap/dist/npcap-0.99-r7.exe
3 - install the Suricata msi again

Should work that way i think - but could you please verify?

Actions #3

Updated by Thomas Drebert over 5 years ago

it looks like it works, there are a few installation issues. first I had to copy the Npcap files from the Windows "system32" folder to Suricata. Now starts suricata, but probably does not work with the standard configuration.
suricata.exe -c suricata.yaml -s signatures.rules -i eth0
Here some files are not found. But that is another problem.
PS .: The files from WOW64 do not work.

Actions #4

Updated by Peter Manev over 5 years ago

Thank you for the feedback, some more questions/points:
If the npcap install is system wide with WinPcap compatibility - it should be reachable and would not need to be in the suricata folder itself.
What files did you need to copy from npcap ?

Is this a 64 bit install you have ?

Some files are missing - what are those? I am suspecting it could be rules files actually.

Updated by Thomas Drebert over 5 years ago

I install npcap by double click on the exe file, I change only by switch on raw 802.11.
After Suricater ask for wpcap.dll and next for Packet.dll, I copy all 4 files from the system32/npcap folder.
Suricata is the last 64bit msi and npacp is the file from your link.
Here the output from suricata.

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i eth0
16/5/2019 -- 19:44:49 - <Info> - Running as service: no
16/5/2019 -- 19:44:49 - <Notice> - This is Suricata version 4.1.3 RELEASE
16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\botcc.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\ciarmy.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\compromised.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\drop.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\dshield.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-attack_response.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-chat.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-current_events.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-dns.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-dos.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-exploit.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-ftp.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-imap.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-malware.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-misc.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-mobile_malware.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-netbios.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-p2p.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-policy.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-pop3.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-rpc.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-scan.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-smtp.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-snmp.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-sql.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-telnet.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-tftp.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-trojan.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-user_agents.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-voip.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-web_client.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-web_server.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-worm.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\tor.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file signatures.rules: No such file or directory.
16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory

Actions #6

Updated by Thomas Drebert over 5 years ago

Can you change the topic?
it should be called "pcap_dump_fopen"
---

Actions #7

Updated by Peter Manev over 5 years ago

  • Subject changed from windows: pcap_dump_open not found to windows: suricata calling pcap_dump_fopen

Topic changed as requested.

With respect to the Suricata asking fro wpcap.dll and packet.dll - when you install npcap you should also select/choose to install it with WinPcap compatibility - that should take care of it. (At least the case in my tests)

From what is see from the output - Suricata is starting normally. It does not find the rules. You can manually download those - for example ET open can be found here - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz (until suricata-update is ready/bundled for Windows) and put them in "\Program files\Suricata\rules".

Actions #8

Updated by Thomas Drebert over 5 years ago

I assume that it is just a wrong detection, but Immunet reports some Clam.Html.Exploit...

Actions #9

Updated by Peter Manev over 5 years ago

It is not uncommon for the exe to trigger some warnings from some AV software out there. I've seen it on a few of occasions.

Actions #10

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #11

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Peter Manev
  • Target version changed from TBD to 5.0rc1
Actions #12

Updated by Peter Manev over 5 years ago

Currently you need to stay with https://nmap.org/npcap/dist/npcap-0.992.exe to run. The error appears if you use v 993+ of npcap.

Actions #13

Updated by Victor Julien over 5 years ago

  • Has duplicate Bug #3010: Suricata doesn't start on Windows 10 64 bit added
Actions #14

Updated by Victor Klimov over 5 years ago

Should Bug #3010 or Bug #3024 be reopened? Or both? Doesn't start with 992 either...

Actions #15

Updated by Victor Julien over 5 years ago

  • Has duplicate Bug #3024: Suricata doesn't start on Windows 10 64 bit added
Actions #16

Updated by Victor Klimov over 5 years ago

See my comment to the closed Bug #3010

Actions #17

Updated by Victor Julien about 5 years ago

  • Target version changed from 5.0rc1 to 70

Needs further investigation.

Actions #18

Updated by Thomas Amwoza over 4 years ago

Any updates regarding this issue? We still can't seem to use any version of npcap that is newer than 0.992 with the latest versions of Suricata. Auditors are starting to flag npcap 0.992 for vulnerabilities, so this is going to be a problem for compliance until a solution can be provided.

Actions #19

Updated by Victor Julien about 4 years ago

  • Target version changed from 70 to TBD
Actions #20

Updated by Peter Manev almost 4 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 6.0.0

This is fixed in 6.0.
We use the latest npcap(1.0+) now.

Actions

Also available in: Atom PDF