Suricata.service crashes when processing PCAP from samples.

[jacker31]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [✓] I am running the latest version
• [✓] I did read the README!
• [✓] I checked the documentation and found no answer
• [✓] I checked to make sure that this issue has not already been filed
• [✓] I'm reporting the issue to the correct repository (for multi-repository projects)
• [✓] I have read and checked all configs (with all optional parts)

Expected Behavior

After fresh deployment with CAPEv2, I expect the PCAP files to be processed without errors.

Current Behavior

When attempting to process the sample report after analysis, the UI fails, as shown in the image below:

Manual processing of the report (utils/process.py) attempt fails as well: First Run: Second Run:

Failure Information (for bugs)

1. Further investigation discovered that when a PCAP was submitted to Suricata by CAPE, the Suricata service crashes (with the result 'exit-code'.), making the socket inaccessible by the cape-processor.

2. /var/log/suricata/suricata.log has recorded "Unable to create thread with pthread_create() is 11" error.

3. [modules.processing.suricata] would return either error 104 (Connection reset by peer) or error 111 (Connection refused).

4. Suricata was installed from the cape.sh and is running as cape user and cape group. /etc/suricata/suricata.yaml

ps aux | grep suricata

ls -la /etc/suricata

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. After Fresh deployment: Start all Cape services.
2. Submit a sample with network routing enabled.
3. Bug occurs, and report fails to generate.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	commit 616c05523b942370c4db95e0999d298a1b918c2f
OS version	Ubuntu 22.04.3 LTS (jammy) x86_64
Allocated Resource	Disk Size: 3TB RAM: 48GB Processor: 8
Config Files	processing.conf: default out-of-the-box version
Suricata Version	v7.0.0

Failure Logs

journalctl -e -u cape-processor

-- Boot 82881c1b95df40c19562c88c1427c345 -- Ogos 26 13:19:59 capev2-virtual-machine systemd[1]: Started CAPE report processor. Ogos 26 13:20:02 capev2-virtual-machine python3[1777]: 2023-08-26 13:20:02,477 [root] INFO: Processing analysis data Ogos 26 13:25:17 capev2-virtual-machine python3[1777]: 2023-08-26 13:25:17,852 [root] INFO: Processing analysis data for Task #1 Ogos 26 13:25:17 capev2-virtual-machine python3[1777]: OPTIONAL! Missed dependency: pip3 install https://github.com/CAPESandbox/peepdf/archive/20eda78d7d77fc5b3b652ffc2d8a5b0af796e3dd.zip#egg=peepdf==0.4.2 Ogos 26 13:25:17 capev2-virtual-machine python3[1777]: OPTIONAL! Missed dependency: pip3 install -U git+https://github.com/DissectMalware/batch_deobfuscator Ogos 26 13:25:17 capev2-virtual-machine python3[1777]: OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/CAPESandbox/httpreplay Ogos 26 13:25:22 capev2-virtual-machine python3[6665]: 2023-08-26 13:25:22,118 [Task 1] [modules.processing.suricata] WARNING: Failed to get pcap status breaking out of loop: [Errno 104] Connection reset > Ogos 26 13:25:22 capev2-virtual-machine python3[6665]: 2023-08-26 13:25:22,118 [Task 1] [modules.processing.suricata] WARNING: Failed to get pcap status breaking out of loop: [Errno 104] Connection reset > Ogos 26 13:25:22 capev2-virtual-machine python3[6665]: /opt/CAPEv2/utils/../lib/cuckoo/common/abstracts.py:987: FutureWarning: Possible nested set at position 5 Ogos 26 13:25:22 capev2-virtual-machine python3[6665]: exp = re.compile(pattern, re.IGNORECASE) Ogos 26 13:25:22 capev2-virtual-machine python3[1777]: 2023-08-26 13:25:22,977 [root] INFO: Reports generation completed Ogos 26 13:33:33 capev2-virtual-machine python3[1777]: 2023-08-26 13:33:33,461 [root] INFO: Processing analysis data for Task #2 Ogos 26 13:33:41 capev2-virtual-machine python3[6661]: 2023-08-26 13:33:41,423 [Task 2] [modules.processing.suricata] WARNING: Failed to get pcap status breaking out of loop: [Errno 104] Connection reset > Ogos 26 13:33:41 capev2-virtual-machine python3[6661]: 2023-08-26 13:33:41,423 [Task 2] [modules.processing.suricata] WARNING: Failed to get pcap status breaking out of loop: [Errno 104] Connection reset > Ogos 26 13:33:42 capev2-virtual-machine python3[6661]: /opt/CAPEv2/utils/../lib/cuckoo/common/abstracts.py:987: FutureWarning: Possible nested set at position 5 Ogos 26 13:33:42 capev2-virtual-machine python3[6661]: exp = re.compile(pattern, re.IGNORECASE) Ogos 26 13:33:43 capev2-virtual-machine python3[1777]: 2023-08-26 13:33:43,212 [root] INFO: Reports generation completed Ogos 26 13:43:49 capev2-virtual-machine python3[1777]: 2023-08-26 13:43:49,221 [root] INFO: Processing analysis data for Task #3 Ogos 26 13:44:03 capev2-virtual-machine python3[6660]: 2023-08-26 13:44:03,174 [Task 3] [modules.processing.suricata] WARNING: Failed to connect to socket and send command /tmp/suricata-command.socket: [E> Ogos 26 13:44:03 capev2-virtual-machine python3[6660]: 2023-08-26 13:44:03,174 [Task 3] [modules.processing.suricata] WARNING: Failed to connect to socket and send command /tmp/suricata-command.socket: [E> Ogos 26 13:44:06 capev2-virtual-machine python3[6660]: /opt/CAPEv2/utils/../lib/cuckoo/common/abstracts.py:987: FutureWarning: Possible nested set at position 5 Ogos 26 13:44:06 capev2-virtual-machine python3[6660]: exp = re.compile(pattern, re.IGNORECASE) Ogos 26 13:44:08 capev2-virtual-machine python3[1777]: 2023-08-26 13:44:08,231 [root] INFO: Reports generation completed

journalctl -e -u suricata.service

-- Boot 82881c1b95df40c19562c88c1427c345 -- Ogos 26 13:19:58 capev2-virtual-machine systemd[1]: Starting Suricata IDS/IDP daemon... Ogos 26 13:19:58 capev2-virtual-machine suricata[1132]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Ogos 26 13:19:58 capev2-virtual-machine systemd[1]: Started Suricata IDS/IDP daemon. Ogos 26 13:25:22 capev2-virtual-machine systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE Ogos 26 13:25:22 capev2-virtual-machine systemd[1]: suricata.service: Failed with result 'exit-code'. Ogos 26 13:30:30 capev2-virtual-machine systemd[1]: Starting Suricata IDS/IDP daemon... Ogos 26 13:30:30 capev2-virtual-machine suricata[8134]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Ogos 26 13:30:30 capev2-virtual-machine systemd[1]: Started Suricata IDS/IDP daemon. Ogos 26 13:33:41 capev2-virtual-machine systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE Ogos 26 13:33:41 capev2-virtual-machine systemd[1]: suricata.service: Failed with result 'exit-code'. Ogos 26 13:49:20 capev2-virtual-machine systemd[1]: Starting Suricata IDS/IDP daemon... Ogos 26 13:49:20 capev2-virtual-machine suricata[9438]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Ogos 26 13:49:20 capev2-virtual-machine systemd[1]: Started Suricata IDS/IDP daemon. Ogos 26 13:49:59 capev2-virtual-machine systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE Ogos 26 13:49:59 capev2-virtual-machine systemd[1]: suricata.service: Failed with result 'exit-code'. Ogos 26 14:20:56 capev2-virtual-machine systemd[1]: Starting Suricata IDS/IDP daemon... Ogos 26 14:20:56 capev2-virtual-machine suricata[10534]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Ogos 26 14:20:56 capev2-virtual-machine systemd[1]: Started Suricata IDS/IDP daemon.

cat /var/log/suricata/suricata.log

[9438 - Suricata-Main] 2023-08-26 13:49:20 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode [9438 - Suricata-Main] 2023-08-26 13:49:20 Info: cpu: CPUs/cores online: 8 [9438 - Suricata-Main] 2023-08-26 13:49:20 Info: suricata: Setting engine mode to IDS mode by default [9438 - Suricata-Main] 2023-08-26 13:49:20 Info: exception-policy: master exception-policy set to: auto [9438 - Suricata-Main] 2023-08-26 13:49:20 Info: suricata: Use pid file /tmp/suricata.pid from config file. [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: privs: dropped the caps for main thread [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: logopenfile: fast output device (regular) initialized: fast.log [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: logopenfile: eve-log output device (regular) initialized: eve.json [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: logopenfile: stats output device (regular) initialized: stats.log [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: counters: Alerts: 0 [9440 - Suricata-Main] 2023-08-26 13:49:20 Warning: detect: No rule files match the pattern /etc/suricata/rules/suricata.rules [9440 - Suricata-Main] 2023-08-26 13:49:20 Warning: detect: 1 rule files specified, but no rules were loaded! [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: threshold-config: Threshold config parsed: 0 rule(s) found [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: detect: 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only [9440 - Suricata-Main] 2023-08-26 13:49:20 Info: unix-manager: unix socket '/tmp/suricata-command.socket' [9440 - Suricata-Main] 2023-08-26 13:49:20 Notice: threads: Threads created -> Engine started. [9441 - US] 2023-08-26 13:49:59 Info: unix-socket: Added file '/opt/CAPEv2/storage/analyses/3/dump.pcap' to list [9441 - US] 2023-08-26 13:49:59 Info: unix-socket: pcap-file.tenant-id not set [9441 - US] 2023-08-26 13:49:59 Info: unix-socket: Starting run for '/opt/CAPEv2/storage/analyses/3/dump.pcap' [9441 - US] 2023-08-26 13:49:59 Info: logopenfile: fast output device (regular) initialized: fast.log [9441 - US] 2023-08-26 13:49:59 Info: logopenfile: eve-log output device (regular) initialized: eve.json [9441 - US] 2023-08-26 13:49:59 Info: logopenfile: stats output device (regular) initialized: stats.log [9441 - US] 2023-08-26 13:49:59 Error: threads: Unable to create thread with pthread_create() is 11

[doomedraven]

hello thanks for the detailed info. It looks like there is some suricata problem, that is not related to cape, i would suggest to start google this error:

/var/log/suricata/suricata.log has recorded "Unable to create thread with pthread_create() is 11" error.

[jacker31]

Hi @doomedraven , thanks for your swift response.

Yes, I believe it is related to Suricata as well. I have been googling for a while on this issue and found that this is related to resource limitation or availability for Suricata to create threads or access threads. Resource limitation could not be an issue here. If I run Suricata as root, it executes the command. However, when it runs as cape user, it doesn’t.

User permission shouldn’t be the issue here since this is a fresh copy of Suricata installed from ./cape.sh and running as cape user (user and group).

I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this commit, failed as well.

[doomedraven]

Suricata is installed from apt, so is not custom suricata, maybe your system is low on resources?idk I first time see this issue

El dom, 27 ago 2023, 6:18, jackers @.***> escribió:

Hi @doomedraven https://github.com/doomedraven , thanks for your swift response.

Yes, I believe it is related to Suricata as well. I have been googling for a while on this issue and found that this is related to resource limitation or availability for Suricata to create threads or access threads. Resource limitation could not be an issue here. If I run Suricata as root, it executes the command. However, when it runs as cape user, it doesn’t.

[image: Picture1] https://user-images.githubusercontent.com/5830788/263508025-07584e93-2a6e-4eb3-b84e-2dcd4f4e4f54.png

User permission shouldn’t be the issue here since this is a fresh copy of Suricata installed from ./cape.sh and running as cape user (user and group).

I have also tried reinstalling cape in Ubuntu 20.04, 22.04.1 with this commit, failed as well.

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1717#issuecomment-1694565723, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH32N7TS3HRWH4AC37ZDXXLDBJANCNFSM6AAAAAA37ZSJGA . You are receiving this because you were mentioned.Message ID: @.***>

[jacker31]

I guess 48GB RAM + i9 is sufficient for Suricata. I will test out more fixes and post here if any are working.

Thanks.

[doomedraven]

Yes more than enough,maybe there is some new limitation idk, let us know what you find

El dom, 27 ago 2023, 9:25, jackers @.***> escribió:

I guess 48GB RAM + i9 is sufficient for Suricata. I will test out more fixes and post here if any are working.

Thanks.

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1717#issuecomment-1694593632, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH352SDJW4SASDJVYOTTXXLY7TANCNFSM6AAAAAA37ZSJGA . You are receiving this because you were mentioned.Message ID: @.***>

[jacker31]

So I have tried the following, but resulted with no luck:

1. Re-installation of fresh copies of VM.
2. Install on other laptops.
3. Install on 22.04.01 / 02 and 20.04 (with python 3.11)
4. Downgrade Suricata to 6.0.13.

Update: I have posted the issue and found the solution here: https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/3

[doomedraven]

thank you, interesting, run-as was there for years working fine

[doomedraven]

ok is not run-as as we run suricata as root. so run-as should be more than fine

[jacker31]

I did both solution and test things out, limit-noproc is more likely to be the issue.

[doomedraven]

yes im gonna add that to configuration, thanks for posting solution

[jacker31]

Sure thing, thanks.

The issue for Suricata has been solved, but i still cannot get the report generated. No error etc from the processor.

[doomedraven]

btw i just spot in your how you run suricata in cape and spot a problem, you should use this https://github.com/kevoreilly/CAPEv2/blob/master/systemd/suricata.service as you can see it runs as root and systemd.

do you get failed_analysis or something like that? did you try process in debug mode? -d

[jacker31]

Sure thing, will use that.

Most of the setups i did were out-of-the-box with some essential confirg (i.e kvm.conf, cuckoo.conf) to get it run before further tweaks were done.

do you get failed_analysis or something like that? did you try process in debug mode? -d I just ran a fresh analysis, but don't see any error in analysis.log. Same thing with the "-d" The "failed" keywords I found from the debug mode were only these (not in all case):

2023-08-30 07:14:16,917 [Task 6] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id for main thread failed\n'

[doomedraven]

so with no report generation can you describe a bit more what do you expect? no data in webgui? mongo enabled? is data in folder storage/analyses/<task_id>?

[jacker31]

So what happened with the report generation was weird,

After the analysis, the status field was updated to "reported"

However, when clicked, it says

So i checked withjournalctl -e -u cape-processor and found that there were no error, all was fine.

Ogos 30 07:28:56 jphd-virtual-machine python3[1674]: 2023-08-30 07:28:56,626 [root] INFO: Processing analysis data for Task #9 Ogos 30 07:28:59 jphd-virtual-machine python3[2422]: 2023-08-30 07:28:59,445 [Task 9] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id f> Ogos 30 07:28:59 jphd-virtual-machine python3[2422]: 2023-08-30 07:28:59,445 [Task 9] [modules.processing.suricata] WARNING: Suricata returned a Exit Value Other than Zero: b'E: privs: capng_change_id f> Ogos 30 07:28:59 jphd-virtual-machine python3[1674]: 2023-08-30 07:28:59,561 [root] INFO: Reports generation completed

I investigated the analysis.log and sudo -u cape poetry run python3 utils/process.py 9 and found nothing alarming.

capev2@CAPEv2-virtual-machine:/opt/CAPEv2$ sudo -u cape poetry run python3 utils/process.py 9 XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

I ls -la the folder and found that there were artifacts indeed .

capev2@CAPEv2-virtual-machine:/opt/CAPEv2$ ls -la storage/analyses/9 total 156 drwxr-xr-x 19 cape cape 4096 Ogos 30 07:28 . drwxr-xr-x 11 cape cape 4096 Ogos 30 07:28 .. -rw-r--r-- 1 cape cape 17252 Ogos 30 07:28 analysis.log drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 aux lrwxrwxrwx 1 cape cape 93 Ogos 30 07:24 binary -> /opt/CAPEv2/storage/binaries/9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 CAPE -rw-r--r-- 1 cape cape 0 Ogos 30 07:25 cuckoo.log drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 curtain drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 debugger -rw-r--r-- 1 cape cape 47643 Ogos 30 07:28 dump.pcap drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 evtx drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 files -rw-r--r-- 1 cape cape 207 Ogos 30 07:28 files.json drwxr-xr-x 2 cape cape 4096 Ogos 30 08:15 logs drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 memory drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 network drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 procdump drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 reports drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 scripts drwxr-xr-x 2 cape cape 4096 Ogos 30 07:28 selfextracted drwxr-xr-x 2 cape cape 4096 Ogos 30 07:26 shots drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 stap drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 sysmon drwxr-xr-x 2 cape cape 4096 Ogos 30 07:25 tlsdump

[doomedraven]

ok yes, this is tipically bcz it can't insert data into mongo, did you enable mongo in conf/reporting.conf? also is mongo up? systemctl status mongodb.service

[jacker31]

You are right,

so it turns out that my mongo-db was installed, but rather broken (probably after poking left and right for the previous issue with services and permissions).

I re-installed and refreshed the reporting.conf, it works now.

BIG thanks for the help! @doomedraven

[doomedraven]

you are welcome, let me know if you have any other issue

[doomedraven]

btw instead of pafish, use al-khaser is way much better ;)

[jacker31]

Will look into that, i got Pafish pulled out from my old note from the cuckoo era. So, were using it for testing the initial setup.