Suricata.service crashes when processing PCAP from samples. #1717
Comments
|
hello thanks for the detailed info. It looks like there is some suricata problem, that is not related to cape, i would suggest to start google this error:
|
|
Hi @doomedraven , thanks for your swift response. Yes, I believe it is related to Suricata as well. I have been googling for a while on this issue and found that this is related to resource limitation or availability for Suricata to create threads or access threads. Resource limitation could not be an issue here.
User permission shouldn’t be the issue here since this is a fresh copy of Suricata installed from ./cape.sh and running as cape user (user and group). I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this commit, failed as well. |
|
Suricata is installed from apt, so is not custom suricata, maybe your
system is low on resources?idk I first time see this issue
El dom, 27 ago 2023, 6:18, jackers ***@***.***> escribió:
… Hi @doomedraven <https://github.com/doomedraven> , thanks for your swift
response.
Yes, I believe it is related to Suricata as well. I have been googling for
a while on this issue and found that this is related to resource limitation
or availability for Suricata to create threads or access threads. Resource
limitation could not be an issue here.
If I run Suricata as root, it executes the command. However, when it runs
as cape user, it doesn’t.
[image: Picture1]
<https://user-images.githubusercontent.com/5830788/263508025-07584e93-2a6e-4eb3-b84e-2dcd4f4e4f54.png>
User permission shouldn’t be the issue here since this is a fresh copy of
Suricata installed from ./cape.sh and running as cape user (user and group).
I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this
commit, failed as well.
—
Reply to this email directly, view it on GitHub
<#1717 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH32N7TS3HRWH4AC37ZDXXLDBJANCNFSM6AAAAAA37ZSJGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I guess 48GB RAM + i9 is sufficient for Suricata. Thanks. |
|
Yes more than enough,maybe there is some new limitation idk, let us know
what you find
El dom, 27 ago 2023, 9:25, jackers ***@***.***> escribió:
… I guess 48GB RAM + i9 is sufficient for Suricata.
I will test out more fixes and post here if any are working.
Thanks.
—
Reply to this email directly, view it on GitHub
<#1717 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH352SDJW4SASDJVYOTTXXLY7TANCNFSM6AAAAAA37ZSJGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
So I have tried the following, but resulted with no luck:
Update: I have posted the issue and found the solution here: https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/3 |
|
thank you, interesting, run-as was there for years working fine |
|
ok is not run-as as we run suricata as root. so run-as should be more than fine |
|
I did both solution and test things out, limit-noproc is more likely to be the issue. |
|
yes im gonna add that to configuration, thanks for posting solution |
|
Sure thing, thanks. The issue for Suricata has been solved, but i still cannot get the report generated. No error etc from the processor. |
|
btw i just spot in your how you run suricata in cape and spot a problem, you should use this https://github.com/kevoreilly/CAPEv2/blob/master/systemd/suricata.service as you can see it runs as root and systemd. do you get failed_analysis or something like that? did you try process in debug mode? |
|
Sure thing, will use that. Most of the setups i did were out-of-the-box with some essential confirg (i.e kvm.conf, cuckoo.conf) to get it run before further tweaks were done. do you get failed_analysis or something like that? did you try process in debug mode? -d
|
|
so with no report generation can you describe a bit more what do you expect? no data in webgui? mongo enabled? is data in folder |
|
So what happened with the report generation was weird, After the analysis, the status field was updated to "reported" However, when clicked, it says So i checked with
I investigated the analysis.log and
I
|
|
ok yes, this is tipically bcz it can't insert data into mongo, did you enable mongo in conf/reporting.conf? also is mongo up? |
|
You are right, so it turns out that my mongo-db was installed, but rather broken (probably after poking left and right for the previous issue with services and permissions). I re-installed and refreshed the reporting.conf, it works now.
BIG thanks for the help! @doomedraven |
|
you are welcome, let me know if you have any other issue |
|
btw instead of pafish, use al-khaser is way much better ;) |
|
Will look into that, i got Pafish pulled out from my old note from the cuckoo era. So, were using it for testing the initial setup. |
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
After fresh deployment with CAPEv2, I expect the PCAP files to be processed without errors.
Current Behavior
When attempting to process the sample report after analysis, the UI fails, as shown in the image below:
Manual processing of the report (utils/process.py) attempt fails as well:
First Run:
Second Run:
Failure Information (for bugs)
Further investigation discovered that when a PCAP was submitted to Suricata by CAPE, the Suricata service crashes (with the result 'exit-code'.), making the socket inaccessible by the cape-processor.
/var/log/suricata/suricata.log has recorded "Unable to create thread with pthread_create() is 11" error.
[modules.processing.suricata] would return either error 104 (Connection reset by peer) or error 111 (Connection refused).
Suricata was installed from the cape.sh and is running as cape user and cape group.
/etc/suricata/suricata.yaml
ps aux | grep suricata
ls -la /etc/suricata
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
Failure Logs
journalctl -e -u cape-processor
journalctl -e -u suricata.service
cat /var/log/suricata/suricata.log
The text was updated successfully, but these errors were encountered: