Project

General

Profile

Support #3115

Problems with starting Suricata on Windows 2016

Added by Thomas Amwoza 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

OS: Windows 2016 Standard
Suricata Installer: Suricata-4.1.3-1-64bit.msi
npcap Installer: npcap-0.992.exe
Options on npcap install: Automatically start the ZNpcap driver at boot time, Install Npcap in WinPcap API-compatible Mode

NIC Information:

PS C:\Windows\system32> wmic nicconfig get ipaddress,settingid | findstr 192.168.89.130
{"192.168.89.130", "fe80::35d8:9818:557a:c65b"}  {1AA575E3-2FD0-4955-981A-9BD156D4F2BC} 

Suricata command:

suricata.exe -v -c suricata.yaml -i \\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}

Suricate Log:

15/8/2019 -- 01:26:48 - <Notice> - This is Suricata version 4.1.3 RELEASE
15/8/2019 -- 01:26:48 - <Info> - CPUs/cores online: 2
15/8/2019 -- 01:26:49 - <Info> - Shortening device name to: \\DEV..2BC}
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
15/8/2019 -- 01:26:49 - <Info> - fast output device (regular) initialized: fast.log
15/8/2019 -- 01:26:49 - <Info> - eve-log output device (regular) initialized: eve.json
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
15/8/2019 -- 01:26:49 - <Info> - stats output device (regular) initialized: stats.log
15/8/2019 -- 01:26:49 - <Info> - 38 rule files processed. 14418 rules successfully loaded, 0 rules failed
15/8/2019 -- 01:26:49 - <Info> - Threshold config parsed: 0 rule(s) found
15/8/2019 -- 01:26:49 - <Info> - 14421 signatures processed. 1224 are IP-only rules, 5913 are inspecting packet payload, 9299 inspect application layer, 0 are decoder event only
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 10 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
15/8/2019 -- 01:26:52 - <Info> - Using 1 live device(s).
15/8/2019 -- 01:26:52 - <Info> - using interface \\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}
15/8/2019 -- 01:26:52 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
15/8/2019 -- 01:26:52 - <Info> - Found an MTU of 1500 for '\\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}'
15/8/2019 -- 01:26:52 - <Info> - Set snaplen to 1524 for '\\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}'
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error Error opening adapter: The system cannot find the device specified. (20)
15/8/2019 -- 01:26:52 - <Info> - RunModeIdsPcapAutoFp initialised
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-\\DEV..2B" failed to initialize: flags 0145
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

I've tried just about every variation I could for formatting the device id (escaping the braces, single backslashes, wrapping in double quotes, etc) for the NIC and I get the simlar results. The same command works fine on a Windows 2012 Standard server, but not on Windows 2016 Standard.

Any advice on how I can get this working?


Files

Win10.PNG (11.3 KB) Win10.PNG Peter Manev, 09/05/2019 07:38 AM
Win2016DCE.PNG (13 KB) Win2016DCE.PNG Peter Manev, 09/05/2019 07:38 AM
Win2016Std.PNG (13.9 KB) Win2016Std.PNG Peter Manev, 09/05/2019 07:38 AM

History

#1

Updated by Peter Manev 2 months ago

Can you try

suricata.exe -v -c suricata.yaml -i 10.0.2.15

where for example "10.0.2.15" is the IP of the interface instead?

Do you also have the same issue with 4.1.4 ?

#2

Updated by Thomas Amwoza 2 months ago

C:\Program Files\Suricata>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::35d8:9818:557a:c65b%2
   IPv4 Address. . . . . . . . . . . : 192.168.89.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.89.2

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:34f1:8072:18ff:3ee9:3f57:a67d
   Link-local IPv6 Address . . . . . : fe80::18ff:3ee9:3f57:a67d%15
   Default Gateway . . . . . . . . . : ::

C:\Program Files\Suricata>wmic nicconfig get ipaddress,settingid | findstr 192.168.89.130
{"192.168.89.130", "fe80::35d8:9818:557a:c65b"}  {1AA575E3-2FD0-4955-981A-9BD156D4F2BC}

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 192.168.89.130
15/8/2019 -- 15:21:27 - <Info> - Running as service: no
15/8/2019 -- 15:21:27 - <Error> - [ERRCODE: SC_ERR_PCAP_TRANSLATE(201)] - failed to find a pcap device for IP 192.168.89.130

It just fails straight up when trying to use IP vs Device ID.

Exact same results using 4.1.4 for both IP and Device also.

Also, If I use any version of Npcap newer that 0.992 I get the pcap_dump_fopen error.

#3

Updated by Peter Manev 2 months ago

When you installed npcap - did you enable/click "winpcap compatibility mode" ?

#4

Updated by Thomas Amwoza 2 months ago

Yes, I selected the following options on Npcap install:

  • Automatically start the Npcap driver at boot time
  • Install Npcap in WinPcap API-compatible Mode

Whatever is causing this seems to be specific to Windows 2016 Standard server for me. Following the same process, with the same program versions, on a Windows 2012 Standard server works perfectly.

#5

Updated by Peter Manev 2 months ago

I have 2016 Datacenter edition and it works ok there btw.
any chance you could confirm if it is the "edition" that matters in your set up ?

#6

Updated by Peter Manev 2 months ago

Forgot to ask - are you running it as "admin" or regular user?

#7

Updated by Thomas Amwoza about 2 months ago

I'm running it as admin, or at least trying to launch it from an admin shell.

#8

Updated by Andreas Herz about 2 months ago

  • Assignee set to Peter Manev
  • Target version set to Support
#9

Updated by Peter Manev about 2 months ago

Ok thanks.
Would you be able to confirm if the issue is the same on any other 2016 edition? As i was mentioning I dont have that issue on "datacenter" edition - but it may be some other config/set up switch that we can try to narrow down with your help.

#10

Updated by Thomas Amwoza about 2 months ago

I'm still using the Standard edition, but I've had better success using a newer version of the installation ISO.

Previously, I was testing under Windows Server 2016 Standard Version 1607 (OS Build 14393.447)
Now, I am testing under Windows Server 2016 Standard Version 1607 (OS Build 14393.1884)

So far I've been able to successfully install and run Suricata a few times now, after resetting my testing VM to a pre-installation snapshot between each attempt.

The newer build of Windows seems to have resolved the issues I was having starting Suricata and installing the service.

What is the specfic version of Windows 2016 that you are running (type winver at command prompt)?

#11

Updated by Peter Manev about 2 months ago

The windows machines I have tested on in my lab are:

OS Name    Microsoft Windows Server 2016 Standard 
Version    10.0.14393 Build 14393

OS Name    Microsoft Windows Server 2016 Datacenter 
Version    10.0.14393 Build 14393

OS Name    Microsoft Windows 10 Enterprise 
Version    10.0.17763 Build 17763

#12

Updated by Thomas Amwoza about 2 months ago

I was hoping to see more detail on your tested build versions for Windows 2016, namely what comes after the 14393 (e.g. 14393.1884).

Regardless, I am working correctly now with npcap 0.992 and Suricata 4.1.3 so I am satisfied there. I'll be using these specific versions in my initial deployment plans.

My next focus will be getting the latest npcap (0.9982) and Suricata (4.1.4) working together. What versions of Windows have you tested as working with this combination?

#13

Updated by Peter Manev about 1 month ago

Sorry for the delay.
These are the exact models/numbers -attached.
I tried 0.9982 and still experiencing this - https://redmine.openinfosecfoundation.org/issues/2968

Also available in: Atom PDF