Default Configuration error - stalls

Help
1

I apologize for the gap of time to my response of my last point (won’t happen again) so I’m reposting.
Hello,
I’m new to Suricata and fairly new to Linux. I run Suricata with the default configuration and it stalls with errors. I’ve verified the rules are in the correct place.
I’d appreciate the help. Thank you.

8/10/2022 – 12:50:39 - - Running as service: no
Suricata 6.0.6
USAGE: suricata.exe [OPTIONS] [BPF FILTER]

    -c <path>                            : path to configuration file
    -T                                   : test configuration file (use with -c)
    -i <dev or ip>                       : run in pcap live mode
    -F <bpf filter file>                 : bpf filter file
    -r <path>                            : run in pcap file/offline mode
    -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
    -S <path>                            : path to signature file loaded exclusively (optional)
    -l <dir>                             : default log directory
    --service-install                    : install as service
    --service-remove                     : remove service
    --service-change-params              : change service startup parameters
    -k [all|none]                        : force checksum check (all) or disabled it (none)
    -V                                   : display Suricata version
    -v                                   : be more verbose (use multiple times to increase verbosity)
    --list-app-layer-protos              : list supported app layer protocols
    --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
    --list-runmodes                      : list supported runmodes
    --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                           supplied should be the id for the runmode obtained by running
                                           --list-runmodes
    --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                           Please have a look at the conf parameter engine-analysis on what reports
                                           can be printed
    --pidfile <file>                     : write pid to this file
    --init-errors-fatal                  : enable fatal failure on signature init error
    --disable-detection                  : disable detection engine
    --dump-config                        : show the running configuration
    --dump-features                      : display provided features
    --build-info                         : display build information
    --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
    --pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
    --pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
    --pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)
    --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
    --simulate-ips                       : force engine into IPS mode. Useful for QA
    --erf-in <path>                      : process an ERF file
    --set name=value                     : set a configuration value

To run the engine with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:

suricata.exe -c suricata.yaml -s signatures.rules -i eth0


C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i eth0
8/10/2022 -- 12:56:10 - <Info> - Running as service: no
Error opening file C:\\Program Files\\Suricata\\log/suricata.log
8/10/2022 -- 12:56:10 - <Notice> - This is Suricata version 6.0.6 RELEASE running in SYSTEM mode
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i 10.252.0.97
8/10/2022 -- 12:58:46 - <Info> - Running as service: no
8/10/2022 -- 12:58:46 - <Error> - [ERRCODE: SC_ERR_PCAP_TRANSLATE(201)] - failed to find a pcap device for IP 10.252.0.97

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i 192.168.0.3
8/10/2022 -- 12:59:10 - <Info> - Running as service: no
8/10/2022 -- 12:59:10 - <Info> - translated 192.168.0.3 to pcap device \Device\NPF_{887DE346-4E47-47D9-8D69-6D416D7A7B15}
Error opening file C:\\Program Files\\Suricata\\log/suricata.log
8/10/2022 -- 12:59:10 - <Notice> - This is Suricata version 6.0.6 RELEASE running in SYSTEM mode
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/fast.log": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "fast": setup failed
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/eve.json": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "eve-log": setup failed
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/stats.log": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "stats": setup failed
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-adware_pup.rules: No such file or directory.
8/10/2022 -- 12:59:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-coinminer.rules: No such file or directory.
8/10/2022 -- 12:59:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-ja3.rules: No such file or directory.
8/10/2022 -- 12:59:12 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-phishing.rules: No such file or directory.
8/10/2022 -- 12:59:13 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file signatures.rules: No such file or directory.
8/10/2022 -- 12:59:13 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
8/10/2022 -- 12:59:13 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.slightpulseM2' is checked but not set. Checked in 2032912 and 0 other sigs
8/10/2022 -- 12:59:15 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{887DE346-4E47-47D9-8D69-6D416D7A7B15}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 1 Tx: 1 LSOv1 IPv4: 0 LSOv2 IPv4: 1 IPv6: 1
8/10/2022 -- 12:59:15 - <Notice> - all 5 packet processing threads, 2 management threads initialized, engine started.

Please ignore the date. I still receive the same error.

2

Hi,

The Suricata configuration file determines the locations where the log directory is created as well as where the rule file(s) are located.

The default log directory location is “the current directory”. You can modify the configuration file and change the value of default-log-dir to a directory that you have write access to or specify it on the command line -l \path\to\writable-log-directory

The same change change be made for the rule file — check that default-rule-path is valid, readable by you, and contains the rule file(s) that you want.

Using -s rule-file will add the rule file to the rule files from the configuration file; -S will only use the rule file that you specify.