Actions
Support #3115
closedProblems with starting Suricata on Windows 2016
Affected Versions:
Label:
Description
OS: Windows 2016 Standard
Suricata Installer: Suricata-4.1.3-1-64bit.msi
npcap Installer: npcap-0.992.exe
Options on npcap install: Automatically start the ZNpcap driver at boot time, Install Npcap in WinPcap API-compatible Mode
NIC Information:
PS C:\Windows\system32> wmic nicconfig get ipaddress,settingid | findstr 192.168.89.130
{"192.168.89.130", "fe80::35d8:9818:557a:c65b"} {1AA575E3-2FD0-4955-981A-9BD156D4F2BC}
Suricata command:
suricata.exe -v -c suricata.yaml -i \\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}
Suricate Log:
15/8/2019 -- 01:26:48 - <Notice> - This is Suricata version 4.1.3 RELEASE
15/8/2019 -- 01:26:48 - <Info> - CPUs/cores online: 2
15/8/2019 -- 01:26:49 - <Info> - Shortening device name to: \\DEV..2BC}
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
15/8/2019 -- 01:26:49 - <Info> - fast output device (regular) initialized: fast.log
15/8/2019 -- 01:26:49 - <Info> - eve-log output device (regular) initialized: eve.json
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
15/8/2019 -- 01:26:49 - <Info> - stats output device (regular) initialized: stats.log
15/8/2019 -- 01:26:49 - <Info> - 38 rule files processed. 14418 rules successfully loaded, 0 rules failed
15/8/2019 -- 01:26:49 - <Info> - Threshold config parsed: 0 rule(s) found
15/8/2019 -- 01:26:49 - <Info> - 14421 signatures processed. 1224 are IP-only rules, 5913 are inspecting packet payload, 9299 inspect application layer, 0 are decoder event only
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 10 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
15/8/2019 -- 01:26:49 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
15/8/2019 -- 01:26:52 - <Info> - Using 1 live device(s).
15/8/2019 -- 01:26:52 - <Info> - using interface \\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}
15/8/2019 -- 01:26:52 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
15/8/2019 -- 01:26:52 - <Info> - Found an MTU of 1500 for '\\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}'
15/8/2019 -- 01:26:52 - <Info> - Set snaplen to 1524 for '\\DEVICE\\NPF_{1AA575E3-2FD0-4955-981A-9BD156D4F2BC}'
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error Error opening adapter: The system cannot find the device specified. (20)
15/8/2019 -- 01:26:52 - <Info> - RunModeIdsPcapAutoFp initialised
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-\\DEV..2B" failed to initialize: flags 0145
15/8/2019 -- 01:26:52 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
I've tried just about every variation I could for formatting the device id (escaping the braces, single backslashes, wrapping in double quotes, etc) for the NIC and I get the simlar results. The same command works fine on a Windows 2012 Standard server, but not on Windows 2016 Standard.
Any advice on how I can get this working?
Files
Actions