Suricata warning message is output to process.log

[5470u2k]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [ Y ] I am running the latest version
• [ Y ] I did read the README!
• [ Y ] I checked the documentation and found no answer
• [ Y ] I checked to make sure that this issue has not already been filed
• [ Y ] I'm reporting the issue to the correct repository (for multi-repository projects)
• [ Y ] I have read and checked all configs (with all optional parts)

Expected Behavior

When cape analysis is executed, the following message is output to process.log.

• /opt/CAPEv2/log/process.log

[Task 58] [modules.processing.suricata] WARNING: Failed to connect to socket and send command /tmp/suricata-command.socket: [Errno 104] Connection reset by peer
[Task 66] [modules.processing.suricata] WARNING: Failed to get pcap status breaking out of loop: [Errno 104] Connection reset by peer
[Task 65] [modules.processing.suricata] WARNING: Failed to connect to socket and send command /tmp/suricata-command.socket: [Errno 111] Connection refused

I modified suricata.yaml according to Isuues (#1717) and the suricata forum.
https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/4

• suricata.yaml

# Run Suricata with a specific user-id and group-id:
run-as:
   user: root  //cape->root
   group: cape

security:
  # if true, prevents process creation from Suricata by calling
  # setrlimit(RLIMIT_NPROC, 0)
  limit-noproc: false  //true->false

By changing suricata.yaml, the above message is no longer displayed, but the following message is now displayed instead.

• /opt/CAPEv2/log/process.log

[Task 158] [modules.processing.suricata] WARNING: Suricata: Failed to find usable Suricata log file

When I checked /var/log/suricata.log to find out the cause, it appeared that there was no write permission to /opt/CAPEv2/storage/analyses/xxx/logs, and suricata log output was failing. Could you please tell me which part of the source is creating the directory /opt/CAPEv2/storage/analyses/xxx/logs? Also, if you have any other solutions, please let me know.

[doomedraven]

hello, i did fresh CAPE install yesterday suricata 7.0.1, works just fine with both group and user as cape. you can't touch any folder inside of the cape folder as if you change permission that will breaks a lot of other things, so it just requires a proper fix for suricata. i would better see why your suricata can't create socket file in temp folder as cape:cape instead of root:cape. Try maybe commenting out run-as as suggested there and just leave user

[doomedraven]

also this is changed by us https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L699 so i guess you have some problems with your instalation, i just upgraded suricata to 7.0.3 with the same config as in cape2.sh and 0 problems

i have tested change cape:cape to root:cape and that gives me that WARNING: Suricata: Failed to find usable Suricata log file. Restoring back to cape:cape 0 issues

• check permission of your socket, for me it creates it as cape:cape

ls -lah /tmp/suricata-command.socket
0 srw-rw---- 1 cape cape 0 feb  9 11:27 /tmp/suricata-command.socket

[doomedraven]

any update here?