The file restoration function fails to restore the ftp pcap package

My version is suricata-6.0.12

Configuration and package upload attachments

no rules

Could you please check why you can’t extract the file,thanks

suricata.yaml (73.7 KB)
ftpup.pcap (7.9 MB)

I need help, please :sob: :sob:

Trying adding --runmode=single to your command line. The FTP connections can be picked up by different threads causing Suricata not to know what the data channel is when its first seen. This is more of a concern in pcaps that reading the wire though.

Thank you very much, I was able to restore some ftp data after using single threaded mode. However, there are some ftp-data protocols that do not seem to be recognized. Is this a current engine bug? Or did I have some configuration Settings wrong

By the way, this is the configuration file and run command after I changed the mode following your suggestion
suricata.yaml (73.7 KB)
suricata -c ./suricata.yaml -r ./pcap/ -l ./log()
Since I enabled a single thread in the configuration file, I did not add it to the command line, and I tested with the same result

Can you turn your test into a Suricata-Verify test?

Do you mean my question is not standardized? Then I will sort it out according to the way you gave the git project,Or do you want me to submit this issue on this git link :smiling_face_with_tear: (7.9 MB)
This is the result of my operation. Due to the upload limit, I deleted the input.pcap in the output directory.

Below is what my command line run shows:
[root@localhost suricata-6.0.12]# …/suricata-verify-master/ --strictcsums 0705 …/suricata-verify-master/0705/ftpup.pcap
2023-07-05 15:33:10,742 - INFO - Running eve2test…
Traceback (most recent call last):
File “…/suricata-verify-master/”, line 465, in
File “…/suricata-verify-master/”, line 461, in main
File “…/suricata-verify-master/”, line 444, in generate_eve
File “…/suricata-verify-master/”, line 422, in eve2test
File “…/suricata-verify-master/”, line 255, in filter_event_type_params
File “…/suricata-verify-master/”, line 151, in write_to_file
except FileNotFoundError:
NameError: global name ‘FileNotFoundError’ is not defined

I’m still very troubled, I hope someone can help me :sob: :sob:

Please try:

../path/to/suricata-verify/ mytestname /path/to/pcap

and make sure you’re running this command from a suricata dir :wink:

Thank you very much for your answer. I may not have expressed it clearly. In fact, my last answer has correctly run the result that needs to be debugged, which is the same as the one I restored by running suricata directly (the file loaded in the message is missing). I want to know if this problem is a defect of the current engine or there is still something wrong with my configuration :orange_heart:

Actually, apologies from my end. I did not see the error message properly. I believe this is a Python version issue. Could you please try running the script with Python 3? That has this attribute.

I’m very sorry for the delay. I’m not good at the upgraded version of python. Fortunately, I installed it today, but I ran it again, and the result was the same as when I used python2.7. I’m a little frustrated, yes what’s wrong

Does /home/icy/workspace/suricata-verify-master/tests/0705 even exist?

It exists, and there are files to restore

Could you please check if the eve-log section of the suricata.yaml in the suricata dir that you are in has enabled: yes? Also, check permissions on suricata-verify/tests dir
I can’t think of other reasons it should fail this way rn.

I didn’t disable the output of eve.log. In fact, I didn’t load the rules at all. I just want to test the file restore function. I want to know why my ftp-data only extracts part of the content

I just tried your suricata.yaml and the pcap you shared and was able to create the test.
Ok, let’s go over it again step by step.

# Go into your suricata source code directory
cd /my/suricata/dir

# Here, you should have a suricata.yaml
grep -i "eve-log:" suricata.yaml -A 10

The above command should show you the following:

  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      # Enable for multi-threaded eve.json output; output files are amended with
      # an identifier, e.g., eve.9.json
      #threaded: false
      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5

Now, if your suricata-verify code exists a level up, run createst as follows from the Suricata dir where you should be in right now.

python3 ../suricata-verify/ my-ftp-test /path/to/my/pcap

Note: I’d highly recommend to create a new test at this point as I see 0705 directories in places it shouldn’t have been perhaps manually created? Give a new name to the test and create a new one.

Your suricata-verify is owned by root, so, please make sure you’re running with root as well.

OK, thank you, have you seen from the test results that the pictures I transferred have been completely restored? It’s the one from the magical girl