Hello,
I’m new to Suricata and fairly new to Linux. I run Suricata with the default configuration and it stalls with errors. I’ve verified the rules are in the correct place.
I’d appreciate the help. Thank you.
8/10/2022 – 12:50:39 - - Running as service: no
Suricata 6.0.6
USAGE: suricata.exe [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
--service-install : install as service
--service-remove : remove service
--service-change-params : change service startup parameters
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v : be more verbose (use multiple times to increase verbosity)
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--dump-features : display provided features
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--simulate-ips : force engine into IPS mode. Useful for QA
--erf-in <path> : process an ERF file
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:
suricata.exe -c suricata.yaml -s signatures.rules -i eth0
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i eth0
8/10/2022 -- 12:56:10 - <Info> - Running as service: no
Error opening file C:\\Program Files\\Suricata\\log/suricata.log
8/10/2022 -- 12:56:10 - <Notice> - This is Suricata version 6.0.6 RELEASE running in SYSTEM mode
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:56:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i 10.252.0.97
8/10/2022 -- 12:58:46 - <Info> - Running as service: no
8/10/2022 -- 12:58:46 - <Error> - [ERRCODE: SC_ERR_PCAP_TRANSLATE(201)] - failed to find a pcap device for IP 10.252.0.97
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -s signatures.rules -i 192.168.0.3
8/10/2022 -- 12:59:10 - <Info> - Running as service: no
8/10/2022 -- 12:59:10 - <Info> - translated 192.168.0.3 to pcap device \Device\NPF_{887DE346-4E47-47D9-8D69-6D416D7A7B15}
Error opening file C:\\Program Files\\Suricata\\log/suricata.log
8/10/2022 -- 12:59:10 - <Notice> - This is Suricata version 6.0.6 RELEASE running in SYSTEM mode
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/fast.log": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "fast": setup failed
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/eve.json": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "eve-log": setup failed
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/stats.log": Permission denied
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "stats": setup failed
8/10/2022 -- 12:59:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
8/10/2022 -- 12:59:10 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-adware_pup.rules: No such file or directory.
8/10/2022 -- 12:59:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-coinminer.rules: No such file or directory.
8/10/2022 -- 12:59:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-ja3.rules: No such file or directory.
8/10/2022 -- 12:59:12 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-phishing.rules: No such file or directory.
8/10/2022 -- 12:59:13 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file signatures.rules: No such file or directory.
8/10/2022 -- 12:59:13 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
8/10/2022 -- 12:59:13 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.slightpulseM2' is checked but not set. Checked in 2032912 and 0 other sigs
8/10/2022 -- 12:59:15 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{887DE346-4E47-47D9-8D69-6D416D7A7B15}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 1 Tx: 1 LSOv1 IPv4: 0 LSOv2 IPv4: 1 IPv6: 1
8/10/2022 -- 12:59:15 - <Notice> - all 5 packet processing threads, 2 management threads initialized, engine started.
Please ignore the date. I still receive the same error.