Bug #2968
closedwindows: suricata calling pcap_dump_fopen
Description
As reported on the user list , I can confirm on windows 10 we are getting the error "can not find pcap_dump_open" on suricata start using the MSI.
I can reproduce it on Windows 10 but not on Windows 2016 server.
Files
Updated by Thomas Drebert over 5 years ago
- File suricata01.PNG suricata01.PNG added
- File npcap.PNG npcap.PNG added
Here 2 screenshots.
Updated by Peter Manev over 5 years ago
@ Thomas - can you try to confirm the following :
1 - uninstall the Suricata msi
2 - uninstall the current npcap version you have and install this one https://nmap.org/npcap/dist/npcap-0.99-r7.exe
3 - install the Suricata msi again
Should work that way i think - but could you please verify?
Updated by Thomas Drebert over 5 years ago
it looks like it works, there are a few installation issues. first I had to copy the Npcap files from the Windows "system32" folder to Suricata. Now starts suricata, but probably does not work with the standard configuration.
suricata.exe -c suricata.yaml -s signatures.rules -i eth0
Here some files are not found. But that is another problem.
PS .: The files from WOW64 do not work.
Updated by Peter Manev over 5 years ago
Thank you for the feedback, some more questions/points:
If the npcap install is system wide with WinPcap compatibility - it should be reachable and would not need to be in the suricata folder itself.
What files did you need to copy from npcap ?
Is this a 64 bit install you have ?
Some files are missing - what are those? I am suspecting it could be rules files actually.
Updated by Thomas Drebert over 5 years ago
- File files_copy.PNG files_copy.PNG added
- File npcap.PNG npcap.PNG added
I install npcap by double click on the exe file, I change only by switch on raw 802.11.
After Suricater ask for wpcap.dll and next for Packet.dll, I copy all 4 files from the system32/npcap folder.
Suricata is the last 64bit msi and npacp is the file from your link.
Here the output from suricata.
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i eth0 16/5/2019 -- 19:44:49 - <Info> - Running as service: no 16/5/2019 -- 19:44:49 - <Notice> - This is Suricata version 4.1.3 RELEASE 16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml. 16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1 16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1 16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\botcc.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\ciarmy.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\compromised.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\drop.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\dshield.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-attack_response.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-chat.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-current_events.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-dns.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-dos.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-exploit.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-ftp.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-imap.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-malware.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-misc.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-mobile_malware.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-netbios.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-p2p.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-policy.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-pop3.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-rpc.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-scan.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-smtp.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-snmp.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-sql.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-telnet.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-tftp.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-trojan.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-user_agents.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-voip.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-web_client.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-web_server.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-worm.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\tor.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file signatures.rules: No such file or directory. 16/5/2019 -- 19:44:49 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
Updated by Thomas Drebert over 5 years ago
Can you change the topic?
it should be called "pcap_dump_fopen"
---
Updated by Peter Manev over 5 years ago
- Subject changed from windows: pcap_dump_open not found to windows: suricata calling pcap_dump_fopen
Topic changed as requested.
With respect to the Suricata asking fro wpcap.dll and packet.dll - when you install npcap you should also select/choose to install it with WinPcap compatibility - that should take care of it. (At least the case in my tests)
From what is see from the output - Suricata is starting normally. It does not find the rules. You can manually download those - for example ET open can be found here - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz (until suricata-update is ready/bundled for Windows) and put them in "\Program files\Suricata\rules".
Updated by Thomas Drebert over 5 years ago
I assume that it is just a wrong detection, but Immunet reports some Clam.Html.Exploit...
Updated by Peter Manev over 5 years ago
It is not uncommon for the exe to trigger some warnings from some AV software out there. I've seen it on a few of occasions.
Updated by Andreas Herz over 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Peter Manev
- Target version changed from TBD to 5.0rc1
Updated by Peter Manev over 5 years ago
Currently you need to stay with https://nmap.org/npcap/dist/npcap-0.992.exe to run. The error appears if you use v 993+ of npcap.
Updated by Victor Julien over 5 years ago
- Has duplicate Bug #3010: Suricata doesn't start on Windows 10 64 bit added
Updated by Victor Klimov over 5 years ago
Updated by Victor Julien over 5 years ago
- Has duplicate Bug #3024: Suricata doesn't start on Windows 10 64 bit added
Updated by Victor Klimov over 5 years ago
See my comment to the closed Bug #3010
Updated by Victor Julien about 5 years ago
- Target version changed from 5.0rc1 to 70
Needs further investigation.
Updated by Thomas Amwoza over 4 years ago
Any updates regarding this issue? We still can't seem to use any version of npcap that is newer than 0.992 with the latest versions of Suricata. Auditors are starting to flag npcap 0.992 for vulnerabilities, so this is going to be a problem for compliance until a solution can be provided.
Updated by Victor Julien over 4 years ago
- Target version changed from 70 to TBD
Updated by Peter Manev almost 4 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 6.0.0
This is fixed in 6.0.
We use the latest npcap(1.0+) now.