Can't ingest pcap

Help
1

Hello Suricata Community!

I decided to register here, cause lately I started to use Suricata and I stumbled upon a problem for which I could not find any reasonable solution.
According to your movie on YouTube (Getting Started with Suricata-Update: Managing rule sets and sources - YouTube) I am tring to ingest betacop.pcap to “suri-ingest-pcap.sh” script.
I am still getting following errors:

tests@ubuntu:~/suricata$ sudo ./suri-ingest-pcap.sh betabot.pcap 
19/8/2021 -- 10:58:26 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
19/8/2021 -- 10:58:26 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "fast": setup failed
19/8/2021 -- 10:58:26 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//eve.json": Permission denied
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "eve-log": setup failed
19/8/2021 -- 10:58:26 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//stats.log": Permission denied
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "stats": setup failed
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
19/8/2021 -- 10:58:26 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
19/8/2021 -- 10:58:26 - <Notice> - all 3 packet processing threads, 2 management threads initialized, engine started.
19/8/2021 -- 10:58:26 - <Notice> - Signal Received.  Stopping engine.
19/8/2021 -- 10:58:26 - <Notice> - Pcap-file module read 1 files, 646 packets, 552551 bytes

Permissions in /var/log/suricata:

drwxr-xr-x  5 suricata suricata    4096 Aug 18 15:20 .
drwxrwxr-x 27 root     syslog      4096 Aug 19 08:49 ..
drwxr-xr-x  2 suricata suricata    4096 Jul  1 09:25 certs
drwxr-xr-x  2 suricata suricata    4096 Jul  1 09:25 core
-rw-r-----  1 suricata suricata  421319 Aug 19 11:09 eve.json
-rw-r-----  1 suricata suricata   27293 Aug 19 11:08 fast.log
drwxr-xr-x  2 suricata suricata    4096 Jul  1 09:25 files
-rw-r-----  1 suricata suricata 7992674 Aug 19 11:09 stats.log
-rw-r--r--  1 suricata suricata  100979 Aug 19 10:59 suricata.log
-rw-r--r--  1 suricata suricata    1306 Aug 19 10:58 suricata-start.log

Could anyone guide me what I am doing wrong?
Thank you in advance. Peace.

2

Hi @h0llym0lly !
Welcome to our forum! :slight_smile:
I just looked at the video and the scripts used in it. I believe you used this script before the ingest one that you’ve posted?
It does not seem to be doing anything for the logging directory.
Please let me know if you ran some other script too.

To give you an idea, the user you’re running Suri with must be a part of the group that has permissions or it should be the owner of the file. I’d also check for the paths leading to the file, does the directory leading to the file you want to open have diff group or users? Is your user a part of them?
Lastly, I’d check for the read/write permission to the file for user or group.

You could start by trying to open the /var/log/.. file from the same directory where you’re running the script from and also with the same user in your favorite text editor and fix things accordingly?

3

Hi @sbhardwaj

Thank you for a quick response.
I did not use the script, although I have set permissions due to suricata-update documentation:

https://suricata-update.readthedocs.io/en/latest/quickstart.html#directories-and-permissions

I have tried to run the script as root, but I still get these errors.

4

Hi @h0llym0lly,

suri-ingest-pcap.sh runs with the capabilities/permissions granted to the user identified from the Linux command logname. I suspect that user is not suricata.

There are at least 2 ways to proceed:

  1. Edit suri-ingest-pcap.sh and remove the --user=$SESSION_USER from the line that launches Suricata.
  2. Or, change the ownership and permission bits of /var/log/suricata to grant access to the user identified from logname

To confirm the hypothesis, can you paste the output of logname here?

5

Hi @Jeff_Lucovsky,

  1. I removed --user=$SESSION_USER and indeed I don’t get any errors at the moment but I don’t get any alerts triggered as well.
23/8/2021 -- 09:51:30 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
23/8/2021 -- 09:52:18 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
23/8/2021 -- 09:52:18 - <Notice> - Signal Received.  Stopping engine.
23/8/2021 -- 09:52:18 - <Notice> - Pcap-file module read 1 files, 646 packets, 552551 bytes

Alerts:

I did suricata-update before running the script again.

  1. I changed permissions to /var/log/suricata for my user h0lly (logname) and now I get errors:
23/8/2021 -- 09:56:30 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
23/8/2021 -- 09:56:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
23/8/2021 -- 09:56:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
23/8/2021 -- 09:56:30 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
23/8/2021 -- 09:56:30 - <Notice> - Signal Received.  Stopping engine.
23/8/2021 -- 09:56:30 - <Notice> - Pcap-file module read 1 files, 646 packets, 552551 bytes

Alerts:

I did suricata-update again, before running the script (according to hints from youtube video).

6

This is because the Suricata configuration file (suricata.yaml) is not locating the rule file. It’s looking in the /var/lib/suricata/rules directory.

Check the location that suricata-update put the rules file – that must match the values in your configuration file – these are settings from my setup – the values will be different in your setup

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
   - suricata.rules

This example shows that Suricata will try to find a file named suricata.rules in /usr/local/etc/suricata.rules. The actual values in your configuration file must match the values used by suricata-update.

7

How to check location, where suricata-update put the rules file?
This is grep from my suricata.yaml:

root@ubuntu: grep default-rule-path /etc/suricata/suricata.yaml -A 5
default-rule-path: /var/lib/suricata/rules

rule-files:
        - suricata.rules
        - local.rules
8

suricata-update will output the location, e.g., 23/8/2021 -- 09:40:16 - <Info> -- Writing rules to /usr/local/var/lib/suricata/rules/suricata.rules: total: 30634; enabled: 23284; added: 2674; removed 287; modified: 3965

9

So in my case it is:

23/8/2021 -- 15:50:52 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 31050; enabled: 23506; added: 0; removed 0; modified: 0

Exactly as configured in suricata.yml

10

What are the permission bits on /var/lib/suricata/rules?

11 
drwxrwx--- 2 suricata suricata     4096 Aug 23 15:50 .
drwxr-x--- 4 suricata suricata     4096 Aug  6 15:57 ..
-rw-rw-r-- 1 suricata suricata     3228 Aug 23 15:50 classification.config
-rw-rw-r-- 1 suricata suricata      180 Aug 23 11:59 local.rules
-rw-r--r-- 1 suricata suricata 17683569 Aug 23 15:50 suricata.rules
12

These permission bits permit read/search to the user suricata – if you’re running as a non-root user other than suricata, it will lack access to the directory containing the rules.

What user are you running with … what’s the output of id?

13

I am running script with sudo user or root. In both cases it does not work.