halimzhz
(Zainul Halim)
October 9, 2021, 3:55pm
1
Hi,
Today after i restart my server and run as usual command:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml -r -&
I found my suricata 4.1.10 cannot start, i try to search around and try with:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
Its running but its suddently stop, the log is:
9/10/2021 – 23:40:10 - - This is Suricata version 4.1.10 RELEASE
9/10/2021 – 23:40:10 - - CPUs/cores online: 4
9/10/2021 – 23:40:10 - - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from ‘decoder..’ to ‘decoder.event..’. See ticket #2225 . To suppress this message, set stats.decoder-events-prefix in the yaml.
9/10/2021 – 23:40:10 - - fast output device (regular) initialized: fast.log
9/10/2021 – 23:40:10 - - Using log dir /var/log/suricata/
9/10/2021 – 23:40:10 - - Selected pcap-log compression method: none
9/10/2021 – 23:40:10 - - using normal logging
9/10/2021 – 23:40:10 - - stats output device (regular) initialized: stats.log
9/10/2021 – 23:40:16 - - 55 rule files processed. 37041 rules successfully loaded, 0 rules failed
9/10/2021 – 23:40:16 - - Threshold config parsed: 0 rule(s) found
9/10/2021 – 23:40:18 - - 37044 signatures processed. 634 are IP-only rules, 3961 are inspecting packet payload, 33645 inspect application layer, 0 are decoder event only
9/10/2021 – 23:40:57 - - Checking file or directory /dev/stdin
9/10/2021 – 23:40:57 - - Argument /dev/stdin was a directory
9/10/2021 – 23:40:57 - - Initializing PCAP ring buffer for /var/log/suricata//log.pcap.
9/10/2021 – 23:40:57 - - Ring buffer initialized with 0 files.
9/10/2021 – 23:40:57 - - all 5 packet processing threads, 4 management threads initialized, engine started.
9/10/2021 – 23:40:57 - - Starting directory run for /dev/stdin
9/10/2021 – 23:40:57 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
9/10/2021 – 23:40:57 - - Directory run mode complete
9/10/2021 – 23:40:57 - - Signal Received. Stopping engine.
9/10/2021 – 23:40:57 - - time elapsed 0.135s
9/10/2021 – 23:40:57 - - Pcap-file module read 0 files, 0 packets, 0 bytes
9/10/2021 – 23:40:57 - - Alerts: 0
9/10/2021 – 23:40:58 - - cleaning up signature grouping structure… complete
Please help. What should i do ?
Hi and welcome to the community!
Suricata stopped because of a signal as indicated by the following message
I encourage you to update your Suricata deployment to a version such as 5.0.7 or 6.0.3 before we spend too much time trying to determine what might be happening.
The version you’re using has been end-of-lifed (and is no longer supported)
halimzhz
(Zainul Halim)
October 10, 2021, 6:30pm
3
Hi Jeff,
Is there any issue too all my current rules if i upgrade to version 5 ? May i know how can i upgrade and if not mistaken i’m doing manual installation, is there any step i should follow ?
Please advice and thank you so much
halimzhz
(Zainul Halim)
October 10, 2021, 9:48pm
4
Dear All,
I just upgrade to the latest suricata 6, but i still facing a same problem when i run command:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
11/10/2021 – 05:39:17 - - This is Suricata version 6.0.3 RELEASE running in USER mode
11/10/2021 – 05:39:17 - - CPUs/cores online: 4
11/10/2021 – 05:39:17 - - fast output device (regular) initialized: fast.log
11/10/2021 – 05:39:17 - - Using log dir .
11/10/2021 – 05:39:17 - - Selected pcap-log compression method: none
11/10/2021 – 05:39:17 - - using normal logging
11/10/2021 – 05:39:17 - - stats output device (regular) initialized: stats.log
11/10/2021 – 05:39:22 - - 55 rule files processed. 37020 rules successfully loaded, 0 rules failed
11/10/2021 – 05:39:22 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 05:39:24 - - 37023 signatures processed. 613 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 05:40:51 - - Argument /dev/stdin was a directory
11/10/2021 – 05:40:51 - - Initializing PCAP ring buffer for ./log.pcap.
11/10/2021 – 05:40:51 - - Ring buffer initialized with 0 files.
11/10/2021 – 05:40:52 - - all 5 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 05:40:52 - - Starting directory run for /dev/stdin
11/10/2021 – 05:40:52 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
11/10/2021 – 05:40:52 - - Directory run mode complete
11/10/2021 – 05:40:52 - - Signal Received. Stopping engine.
11/10/2021 – 05:40:52 - - time elapsed 0.731s
11/10/2021 – 05:40:52 - - Pcap-file module read 0 files, 0 packets, 0 bytes
11/10/2021 – 05:40:52 - - Alerts: 0
11/10/2021 – 05:40:53 - - cleaning up signature grouping structure… complete
I also modify suricata.yaml without load any rules, but its still the samething
Please help me. Thank you
halimzhz
(Zainul Halim)
October 11, 2021, 11:16am
5
Hi,
I just try running with different way withour ‘r’:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -i enp2s4
11/10/2021 – 19:10:59 - - Including configuration file rules.yaml.
11/10/2021 – 19:10:59 - - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
11/10/2021 – 19:10:59 - - CPUs/cores online: 4
11/10/2021 – 19:10:59 - - Found an MTU of 1500 for ‘enp2s4’
11/10/2021 – 19:10:59 - - Found an MTU of 1500 for ‘enp2s4’
11/10/2021 – 19:10:59 - - fast output device (regular) initialized: fast.log
11/10/2021 – 19:10:59 - - Using log dir /var/log/suricata/
11/10/2021 – 19:10:59 - - Selected pcap-log compression method: none
11/10/2021 – 19:10:59 - - using normal logging
11/10/2021 – 19:10:59 - - stats output device (regular) initialized: stats.log
11/10/2021 – 19:10:59 - - Running in live mode, activating unix socket
11/10/2021 – 19:11:06 - - 55 rule files processed. 37021 rules successfully loaded, 0 rules failed
11/10/2021 – 19:11:06 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 19:11:10 - - 37024 signatures processed. 614 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 19:12:29 - - Going to use 4 ReceiveAFP receive thread(s)
11/10/2021 – 19:12:29 - - Initializing PCAP ring buffer for /var/log/suricata//log.pcap.
11/10/2021 – 19:12:29 - - Ring buffer initialized with 1 files.
11/10/2021 – 19:12:29 - - Running in live mode, activating unix socket
11/10/2021 – 19:12:29 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
11/10/2021 – 19:12:29 - - all 8 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 19:12:29 - - All AFP capture threads are running.
And no more ‘Signal Received. Stopping engine.’ But why it cant run with usual with ‘r’ ?
Please help. TQ
halimzhz
(Zainul Halim)
October 11, 2021, 11:19am
6
If with ‘r’:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r -&
root@netmon [~]# 11/10/2021 – 19:18:42 - - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist
Please help me.
halimzhz
(Zainul Halim)
October 11, 2021, 11:21am
7
Below is my build info
This is Suricata version 6.0.3 RELEASE
Features: NFQ PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST
SIMD support: SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.38, linked against LibHTP v0.5.36
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: yes
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /bin/rustc
Rust compiler version: rustc 1.55.0 (Red Hat 1.55.0-1.el7)
Cargo path: /bin/cargo
Cargo version: cargo 1.55.0
Cargo vendor: yes
Python support: yes
Python path: /usr/local/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=gnu99 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/local/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Please help.
Hi,
Suricata is terminating execution because it received “end of file” from /dev/stdin
.
Try the following (corrected) commandline:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode=autofp -v -r /dev/stdin
To confirm, do you see lines similar to these in the output?
[1822239] 11/10/2021 -- 08:03:39 - (source-pcap-file-helper.c:156) <Info> (PcapFileDispatch) -- pcap file /dev/stdin end of file reached (pcap err code 0)
[1822225] 11/10/2021 -- 08:03:39 - (suricata.c:2630) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
halimzhz
(Zainul Halim)
October 11, 2021, 1:16pm
9
Hi,
I try to execute that and the result:
/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode=autofp -v -r /dev/stdin
11/10/2021 – 21:11:16 - - Including configuration file rules.yaml.
11/10/2021 – 21:11:16 - - This is Suricata version 6.0.3 RELEASE running in USER mode
11/10/2021 – 21:11:16 - - CPUs/cores online: 4
11/10/2021 – 21:11:16 - - fast output device (regular) initialized: fast.log
11/10/2021 – 21:11:16 - - Using log dir .
11/10/2021 – 21:11:16 - - Selected pcap-log compression method: none
11/10/2021 – 21:11:16 - - using normal logging
11/10/2021 – 21:11:16 - - stats output device (regular) initialized: stats.log
11/10/2021 – 21:11:21 - - 55 rule files processed. 37024 rules successfully loaded, 0 rules failed
11/10/2021 – 21:11:22 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 21:11:24 - - 37027 signatures processed. 617 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 21:12:41 - - Argument /dev/stdin was a directory
11/10/2021 – 21:12:41 - - Initializing PCAP ring buffer for ./log.pcap.
11/10/2021 – 21:12:41 - - Ring buffer initialized with 2 files.
11/10/2021 – 21:12:41 - - all 5 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 21:12:41 - - Starting directory run for /dev/stdin
11/10/2021 – 21:12:41 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
11/10/2021 – 21:12:41 - - Directory run mode complete
11/10/2021 – 21:12:41 - - Signal Received. Stopping engine.
11/10/2021 – 21:12:41 - - time elapsed 0.153s
11/10/2021 – 21:12:41 - - Pcap-file module read 0 files, 0 packets, 0 bytes
11/10/2021 – 21:12:41 - - Alerts: 0
11/10/2021 – 21:12:42 - - cleaning up signature grouping structure… complete
Please help
halimzhz
(Zainul Halim)
October 11, 2021, 1:23pm
10
Hi,
I realize its start happen after i reboot the server and before that i did run ‘yum update -y’, i didnt reboot and running yum update almost 2 years, you think the latest update of pcap is the cause ? My server is Centos 7
Please Help. TQ
Can you validate the output of trafr
? My understanding of the issue is that EOF is being returned to Suricata when reading from the input stream provided by trafr
halimzhz
(Zainul Halim)
October 14, 2021, 3:27pm
13
Hi,
Can you tell me how to validate ? TQ
suricata
is receiving EOF from /dev/stdin
… that stream is expected to contain pcap data as supplied by trafr
.
I’m not familiar with trafr
but it should be sending data formatted as pcap for you.
As a temporary test – try cat /path/to/file.pcap
instead of trafr