Project

General

Profile

Actions

Support #2366

closed

Suricata returned an error processing this pcap

Added by Jeff Singleton almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Does anyone here use Suricata with Cuckoo Sandbox?

Has anyone encountered the below Warning from Suricata before?

2017-12-15 10:43:22,201 [cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Suricata returned an error processing this pcap: Command '['/usr/bin/suricata', '-c', '/etc/suricata/suricata.yaml', '-k', 'none', '-l', '/home/cuckoo/.cuckoo/storage/analyses/2/suricata', '-r', '/home/cuckoo/.cuckoo/storage/analyses/2/dump.pcap']' returned non-zero exit status 1
Actions #1

Updated by Victor Julien almost 7 years ago

Not much we can say based on the message. Can you try to find the actual suricata error message and exit code?

Actions #2

Updated by Jeff Singleton almost 7 years ago

Sure...I will run just the command line shown in the message from Cuckoo, once as my cuckoo user, and once with sudo.

AS CUCKOO USER:

$ /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap

Error opening file /var/log/suricata/suricata.log
15/12/2017 -- 13:16:23 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:16:27 - <Error> - [ERRCODE: SC_ERR_CHANGING_CAPS_FAILED(157)] - capng_change_id for main thread failed

AS SUDO:

$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -k none -l /home/cuckoo/.cuckoo/storage/analyses/1/suricata -r /home/cuckoo/.cuckoo/storage/analyses/1/dump.pcap

15/12/2017 -- 13:18:00 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:18:04 - <Notice> - AFL mode starting
15/12/2017 -- 13:18:04 - <Notice> - all 5 packet processing threads, 0 management threads initialized, engine started.
15/12/2017 -- 13:18:04 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:18:04 - <Notice> - Signal Received.  Stopping engine.

Normally, suricata is run as the cuckoo user and is called from the Cuckoo processing module, I believe in cli mode. For obvious reasons I don't want to run cuckoo as a root or sudo user.

Thanks,
Jeff

Actions #3

Updated by Victor Julien almost 7 years ago

Couple of things:

"AFL mode starting" is not something I'd expect to see in production anywhere. It's the fuzzing support to work with AFL. Suricata will not function normally when this is built-in.

If you start as a regular user then 'dropping privs' doesn't work. You are already a regular user. Dropping privs is for going from root to a lower priv user.

If you start as sudo, the drop privs makes suri drop privileges after start up. But it's meant for live modes, where we need privs to open a capture device. For pcap handling, just run it as a normal user w/o trying to drop privs.

Actions #4

Updated by Jeff Singleton almost 7 years ago

OK I removed the run-as configuration option, and also the RUN_AS_USER option from /etc/default/suricata. This is the results I get now. Not sure how to disable the AFL mode starting...I will check the module, or is that something that needs to be disabled at compile time?

15/12/2017 -- 13:34:31 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:34:35 - <Notice> - AFL mode starting
15/12/2017 -- 13:34:35 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0547
15/12/2017 -- 13:34:35 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
Actions #5

Updated by Jeff Singleton almost 7 years ago

OK I quickly recompiled and explicitly disabled AFL mode. Now it seems to work outside of Cuckoo...I need to run another analysis to see if it works from within Cuckoo. That will take about 15 minutes and then I will report back.

15/12/2017 -- 13:47:20 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/12/2017 -- 13:47:25 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
15/12/2017 -- 13:47:25 - <Notice> - Signal Received.  Stopping engine.
15/12/2017 -- 13:47:25 - <Notice> - Pcap-file module read 352 packets, 34710 bytes
Actions #6

Updated by Jeff Singleton almost 7 years ago

Well that seems to have done the trick.

  • AFL mode = bad.
  • Drop privileges not needed.

Thanks for the help!!

Actions #7

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Closed

Glad you got it working!

Actions

Also available in: Atom PDF