search

doomedraven / Tools

Combination of different utilities, have fun!
MIT License
202 stars 96 forks source link

Failed to connect to socket and send command /tmp/suricata-command.socket: [Errno 2] No such file or directory #52

Closed r1n9w0rm closed 4 years ago

r1n9w0rm commented 4 years ago

Summary:

After running cape2.sh and trying both the base and suricata argument, the suricata processing module is still unable to find the socket file:

2020-09-22 17:54:34,334 [modules.processing.suricata] WARNING: Failed to connect to socket and send command /tmp/suricata-command.socket: [Errno 2] No such file or directory

Digging into /var/log/suricata/suricata.log I discovered:

<Error> - [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!

Question Answer
OS version Ubuntu 20.04
CAPEv2 Version Latest
Suricata Service SystemD
doomedraven commented 4 years ago

we can change that, my iface also not eth0 but i didn't have any problem of that, as that the pcap is generated by cape, and just sent to suricata, so that noto related at all

doomedraven commented 4 years ago

what os? versions etc?

r1n9w0rm commented 4 years ago

we can change that, my iface also not eth0 but i didn't have any problem of that, as that the pcap is generated by cape, and just sent to suricata, so that noto related at all

I see, so it's not run in "live" mode.

what os? versions etc?

Ubuntu 20.04 LTS. I updated the original issue contents. I'm seeing this error in suricata.log:

<Error> - [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!

Update:

I just found this, looks like the user and group variables were literally "${USER}" instead of "cape" in /etc/suricata/suricata.yaml:

# Run suricata as user and group.
run-as:
   user: ${USER}
   group: ${USER}

I also just noticed this (must be from re-running cape2.sh suricata):

sudo crontab -l

15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null
doomedraven commented 4 years ago

ah yes i don't check if cron exist, i will add checks once i will have some time and check how to fix the user/group issue, thanks

doomedraven commented 4 years ago

should be fixed now, thanks

r1n9w0rm commented 4 years ago

should be fixed now, thanks

Noice. As far as that one liner goes for ensuring the crontab doesn't exist, this works for me:

crontab -l 2>/dev/null | grep 'suricata-update' &>/dev/null || (crontab -l 2>/dev/null; echo "15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null") | crontab -

doomedraven commented 4 years ago

thanks, my solution is simplier ;)