Closed jacker31 closed 1 year ago
hello thanks for the detailed info. It looks like there is some suricata problem, that is not related to cape, i would suggest to start google this error:
/var/log/suricata/suricata.log has recorded "Unable to create thread with pthread_create() is 11" error.
Hi @doomedraven , thanks for your swift response.
Yes, I believe it is related to Suricata as well. I have been googling for a while on this issue and found that this is related to resource limitation or availability for Suricata to create threads or access threads. Resource limitation could not be an issue here. If I run Suricata as root, it executes the command. However, when it runs as cape user, it doesn’t.
User permission shouldn’t be the issue here since this is a fresh copy of Suricata installed from ./cape.sh and running as cape user (user and group).
I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this commit, failed as well.
Suricata is installed from apt, so is not custom suricata, maybe your system is low on resources?idk I first time see this issue
El dom, 27 ago 2023, 6:18, jackers @.***> escribió:
Hi @doomedraven https://github.com/doomedraven , thanks for your swift response.
Yes, I believe it is related to Suricata as well. I have been googling for a while on this issue and found that this is related to resource limitation or availability for Suricata to create threads or access threads. Resource limitation could not be an issue here. If I run Suricata as root, it executes the command. However, when it runs as cape user, it doesn’t.
[image: Picture1] https://user-images.githubusercontent.com/5830788/263508025-07584e93-2a6e-4eb3-b84e-2dcd4f4e4f54.png
User permission shouldn’t be the issue here since this is a fresh copy of Suricata installed from ./cape.sh and running as cape user (user and group).
I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this commit, failed as well.
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1717#issuecomment-1694565723, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH32N7TS3HRWH4AC37ZDXXLDBJANCNFSM6AAAAAA37ZSJGA . You are receiving this because you were mentioned.Message ID: @.***>
I guess 48GB RAM + i9 is sufficient for Suricata. I will test out more fixes and post here if any are working.
Thanks.
Yes more than enough,maybe there is some new limitation idk, let us know what you find
El dom, 27 ago 2023, 9:25, jackers @.***> escribió:
I guess 48GB RAM + i9 is sufficient for Suricata. I will test out more fixes and post here if any are working.
Thanks.
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1717#issuecomment-1694593632, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH352SDJW4SASDJVYOTTXXLY7TANCNFSM6AAAAAA37ZSJGA . You are receiving this because you were mentioned.Message ID: @.***>
So I have tried the following, but resulted with no luck:
Update: I have posted the issue and found the solution here: https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/3
thank you, interesting, run-as was there for years working fine
ok is not run-as as we run suricata as root. so run-as should be more than fine
I did both solution and test things out, limit-noproc is more likely to be the issue.
yes im gonna add that to configuration, thanks for posting solution
Sure thing, thanks.
The issue for Suricata has been solved, but i still cannot get the report generated. No error etc from the processor.
btw i just spot in your how you run suricata in cape and spot a problem, you should use this https://github.com/kevoreilly/CAPEv2/blob/master/systemd/suricata.service as you can see it runs as root and systemd.
do you get failed_analysis or something like that? did you try process in debug mode? -d
Sure thing, will use that.
Most of the setups i did were out-of-the-box with some essential confirg (i.e kvm.conf, cuckoo.conf) to get it run before further tweaks were done.
do you get failed_analysis or something like that? did you try process in debug mode? -d I just ran a fresh analysis, but don't see any error in analysis.log. Same thing with the "-d" The "failed" keywords I found from the debug mode were only these (not in all case):
2023-08-30 07:14:16,917 [Task 6] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id for main thread failed\n'
so with no report generation can you describe a bit more what do you expect? no data in webgui? mongo enabled? is data in folder storage/analyses/<task_id>?
So what happened with the report generation was weird,
After the analysis, the status field was updated to "reported"
However, when clicked, it says
So i checked withjournalctl -e -u cape-processor
and found that there were no error, all was fine.
Ogos 30 07:28:56 jphd-virtual-machine python3[1674]: 2023-08-30 07:28:56,626 [root] INFO: Processing analysis data for Task #9 Ogos 30 07:28:59 jphd-virtual-machine python3[2422]: 2023-08-30 07:28:59,445 [Task 9] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id f> Ogos 30 07:28:59 jphd-virtual-machine python3[2422]: 2023-08-30 07:28:59,445 [Task 9] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id f> Ogos 30 07:28:59 jphd-virtual-machine python3[1674]: 2023-08-30 07:28:59,561 [root] INFO: Reports generation completed
I investigated the analysis.log and sudo -u cape poetry run python3 utils/process.py 9
and found nothing alarming.
capev2@CAPEv2-virtual-machine:/opt/CAPEv2$ sudo -u cape poetry run python3 utils/process.py 9 XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
I ls -la
the folder and found that there were artifacts indeed .
capev2@CAPEv2-virtual-machine:/opt/CAPEv2$ ls -la storage/analyses/9 total 156 drwxr-xr-x 19 cape cape 4096 Ogos 30 07:28 . drwxr-xr-x 11 cape cape 4096 Ogos 30 07:28 .. -rw-r--r-- 1 cape cape 17252 Ogos 30 07:28 analysis.log drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 aux lrwxrwxrwx 1 cape cape 93 Ogos 30 07:24 binary -> /opt/CAPEv2/storage/binaries/9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 CAPE -rw-r--r-- 1 cape cape 0 Ogos 30 07:25 cuckoo.log drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 curtain drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 debugger -rw-r--r-- 1 cape cape 47643 Ogos 30 07:28 dump.pcap drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 evtx drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 files -rw-r--r-- 1 cape cape 207 Ogos 30 07:28 files.json drwxr-xr-x 2 cape cape 4096 Ogos 30 08:15 logs drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 memory drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 network drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 procdump drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 reports drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 scripts drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 selfextracted drwxr-xr-x 2 cape cape 4096 Ogos 30 07:26 shots drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 stap drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 sysmon drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 tlsdump
ok yes, this is tipically bcz it can't insert data into mongo, did you enable mongo in conf/reporting.conf? also is mongo up? systemctl status mongodb.service
You are right,
so it turns out that my mongo-db was installed, but rather broken (probably after poking left and right for the previous issue with services and permissions).
I re-installed and refreshed the reporting.conf, it works now.
BIG thanks for the help! @doomedraven
you are welcome, let me know if you have any other issue
btw instead of pafish, use al-khaser is way much better ;)
Will look into that, i got Pafish pulled out from my old note from the cuckoo era. So, were using it for testing the initial setup.
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
After fresh deployment with CAPEv2, I expect the PCAP files to be processed without errors.
Current Behavior
When attempting to process the sample report after analysis, the UI fails, as shown in the image below:
Manual processing of the report (utils/process.py) attempt fails as well: First Run: Second Run:
Failure Information (for bugs)
Further investigation discovered that when a PCAP was submitted to Suricata by CAPE, the Suricata service crashes (with the result 'exit-code'.), making the socket inaccessible by the cape-processor.
/var/log/suricata/suricata.log has recorded "Unable to create thread with pthread_create() is 11" error.
[modules.processing.suricata] would return either error 104 (Connection reset by peer) or error 111 (Connection refused).
Suricata was installed from the cape.sh and is running as cape user and cape group. /etc/suricata/suricata.yaml
ps aux | grep suricata
ls -la /etc/suricata
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
Failure Logs
journalctl -e -u cape-processor
journalctl -e -u suricata.service
cat /var/log/suricata/suricata.log