Suricata IDS support - Suricata command 'pcap-file' not found

[ryanorm]

Describe the bug
Which is the latest supported version of Suricata IDS with Cuckoo3?

I have installed Suricata 7.0.7 (latest stable) and I am encountering the following error after analysis tasks finish.

Two log messages specifically mention that the command 'pcap-file' has failed to execute. The relevant config files are below with example task logs.

Cuckoo runs the SuricataPcap plugin after analysis has ended:

Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SuricataPcap stage=post task_id=20241107-5EOELW_1

Immediately a WARN messgae is thrown as below:

Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 WARN  [cuckoo.processing.worker]: Error sending command to Suricata. comand=pcap-file args={'filename': '/home/cuckoo/.cuckoocwd/storage/analyses/20241107/5EOELW/task_1/dump.pcap', 'output-dir': '/home/cuckoo/.cuckoocwd/storage/analyses/20241107/5EOELW/task_1/suricata'} error=Command not found: pcap-file task_id=20241107-5EOELW_1

Full log of an example task:

Nov 07 16:34:02 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:02 INFO  [cuckoo.control]: Tracked new analyses. amount=1
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:03 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=identification0 job=<Worktype=identification, analysis_id=20241107-5EOELW>
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 INFO  [cuckoo.processing.worker]: Starting work. worker=identification0 worktype=identification analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Identify stage=identification analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=FileSafelist stage=identification analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SelectFile stage=identification analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 DEBUG [cuckoo.processing.worker]: File selected. file='f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe' analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49755]: 2024-11-07 16:34:03 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=identification analysis_id=20241107-5EOELW
Nov 07 16:34:03 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:03 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=identification0 job=<Worktype=identification, analysis_id=20241107-5EOELW>
Nov 07 16:34:07 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:07 DEBUG [cuckoo.common.submit]: Supporting node for route found. node=local route=type=internet
Nov 07 16:34:08 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:08 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=pre0 job=<Worktype=pre, analysis_id=20241107-5EOELW>
Nov 07 16:34:08 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:08 INFO  [cuckoo.processing.worker]: Starting work. worker=pre0 worktype=pre analysis_id=20241107-5EOELW
Nov 07 16:34:08 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:08 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=DetermineTarget stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:08 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:08 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=CreateZip stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:08 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:08 DEBUG [cuckoo.processing.worker]: Finding child archive for selected file and normalizing to zip. analysis_id=20241107-5EOELW
Nov 07 16:34:09 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:09 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=DetermineLaunchArgs stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:09 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:09 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=FileInfoGather stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:10 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:10 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=StaticYaraRules stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:10 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:10 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Virustotal stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:11 WARN  [cuckoo.processing.worker]: Error while making Virustotal request. error=Virustotal request failed: Quota exceeded analysis_id=20241107-5EOELW
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49756]: 2024-11-07 16:34:11 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=pre analysis_id=20241107-5EOELW
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=pre0 job=<Worktype=pre, analysis_id=20241107-5EOELW>
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.control]: Creating tasks for analysis. analysis_id=20241107-5EOELW
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.common.task]: Creating task. task_id=20241107-5EOELW_1 platform=windows os_version=10
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.scheduler]: Searching for work to assign
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.scheduler]: Adding entry to task starter queue. task_id=20241107-5EOELW_1 machine=win10vm_01 node=local
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 INFO  [cuckoo.scheduler]: Assigning startable task to node. task_id=20241107-5EOELW_1 node=local machine=win10vm_01
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.node]: Asking taskrunner to start task. task_id=20241107-5EOELW_1 machine=win10vm_01 resultserver=192.168.30.1:2042
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 INFO  [cuckoo.control]: Setting task to state running. task_id=20241107-5EOELW_1
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:11 INFO  [cuckoo.node.taskrunner]: Task starting. task_id=20241107-5EOELW_1 machine=win10vm_01 target='f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe'
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.taskrunner]: Asking resultserver to map for IP to task. ip=192.168.30.11 task_id=20241107-5EOELW_1
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.taskrunner]: Initializing taskflow. taskflowkind=standard task_id=20241107-5EOELW_1
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.taskrunner]: Requesting machine start. machine=win10vm_01 task_id=20241107-5EOELW_1
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.machinery]: Machine action request. machine=win10vm_01 action=<function restore_start at 0x776f9ca2d990>
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.node.machinery]: Starting work. machine=win10vm_01 action=<function restore_start at 0x776f9ca2d990>
Nov 07 16:34:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:11 DEBUG [cuckoo.common.netcapture]: Starting tcpdump. args=['/usr/bin/tcpdump', '-i', 'br0', '-U', '-s', '0', '-n', '-w', '/home/cuckoo/.cuckoocwd/storage/analyses/20241107/5EOELW/task_1/dump.pcap', 'host', '192.168.30.11', 'and', 'not', '(', 'dst', 'host', '192.168.30.1', 'and', 'dst', 'port', '2042', ')', 'and', 'not', '(', 'src', 'host', '192.168.30.1', 'and', 'src', 'port', '2042', ')', 'and', 'not', '(', 'dst', 'host', '192.168.30.11', 'and', 'dst', 'port', '8000', ')', 'and', 'not', '(', 'src', 'host', '192.168.30.11', 'and', 'src', 'port', '8000', ')']
Nov 07 16:34:12 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:12 DEBUG [cuckoo.machineries.modules.qemu]: Starting machine with command. machine=win10vm_01 command=/usr/bin/qemu-system-x86_64 -nodefaults -M q35 -vga std -smp 1 -overcommit mem-lock=off -rtc base=localtime,driftfix=slew -m 4096 -netdev type=bridge,br=br0,id=net0 -device rtl8139,netdev=net0,mac=00:0a:f7:b6:0a:32,bus=pcie.0,addr=3 -device ich9-ahci,id=ahci -device ide-hd,bus=ahci.0,unit=0,drive=disk,bootindex=2 -device ide-cd,bus=ahci.1,unit=0,drive=cdrom,bootindex=1 -device usb-ehci,id=ehci -device usb-tablet,bus=ehci.0 -soundhw hda -enable-kvm -drive if=none,id=cdrom,readonly=on -drive file=/home/cuckoo/.vmcloak/vms/qemu/win10vm_01/win10vm_01_disposable.qcow2,format=qcow2,if=none,id=disk -display none -qmp unix:/home/cuckoo/.cuckoocwd/operational/sockets/qemu_win10vm_01.sock,server,nowait -monitor none -incoming exec:/usr/bin/gzip -c -d < /home/cuckoo/.vmcloak/vms/qemu/win10vm_01/memory.snapshot
Nov 07 16:34:19 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:34:19 DEBUG [cuckoo.node.machinery]: Updating machine state. machine=win10vm_01 newstate=running
Nov 07 16:34:20 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:20 DEBUG [cuckoo.node.taskrunner]: Waiting until agent is online. agent_address=192.168.30.11:8000 task_id=20241107-5EOELW_1
Nov 07 16:34:20 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:20 DEBUG [cuckoo.node.taskrunner]: Agent online. task_id=20241107-5EOELW_1
Nov 07 16:34:20 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:20 DEBUG [cuckoo.node.taskrunner]: Requesting rooter to apply route. route=type=internet task_id=20241107-5EOELW_1
Nov 07 16:34:22 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:22 DEBUG [cuckoo.node.taskrunner]: Using stager. stager=tmstage task_id=20241107-5EOELW_1
Nov 07 16:34:22 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:22 DEBUG [cuckoo.node.taskrunner]: Preparing stager. task_id=20241107-5EOELW_1
Nov 07 16:34:22 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:22 DEBUG [cuckoo.node.taskrunner]: Delivering and executing payload. task_id=20241107-5EOELW_1
Nov 07 16:34:24 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:24 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='logs/threemon.pb' task_id=20241107-5EOELW_1
Nov 07 16:34:24 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:24 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=13335.jpg task_id=20241107-5EOELW_1
Nov 07 16:34:24 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:24 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=13335.jpg size=38.3KiB task_id=20241107-5EOELW_1
Nov 07 16:34:25 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:34:25 DEBUG [cuckoo.node.taskrunner]: Running until timeout. timeout=120 task_id=20241107-5EOELW_1
Nov 07 16:34:29 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:29 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0008000000016f94-0.dat' task_id=20241107-5EOELW_1
Nov 07 16:34:29 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:29 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0008000000016f94-0.dat' size=75.0KiB task_id=20241107-5EOELW_1
Nov 07 16:34:37 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:37 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=25730.jpg task_id=20241107-5EOELW_1
Nov 07 16:34:37 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:37 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=25730.jpg size=40.4KiB task_id=20241107-5EOELW_1
Nov 07 16:34:38 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:38 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=26988.jpg task_id=20241107-5EOELW_1
Nov 07 16:34:38 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:38 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=26988.jpg size=40.5KiB task_id=20241107-5EOELW_1
Nov 07 16:34:38 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:38 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0003000000014743-1.dat' task_id=20241107-5EOELW_1
Nov 07 16:34:39 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:39 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0013000000016f99-2.dat' task_id=20241107-5EOELW_1
Nov 07 16:34:39 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:39 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000c000000016f89-3.dat' task_id=20241107-5EOELW_1
Nov 07 16:34:40 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:40 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0003000000014743-1.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:34:41 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:41 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0013000000016f99-2.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:34:42 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:42 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000c000000016f89-3.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:34:42 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:42 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000e000000016ff3-4.dat' task_id=20241107-5EOELW_1
Nov 07 16:34:42 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:42 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=31437.jpg task_id=20241107-5EOELW_1
Nov 07 16:34:42 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:42 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=31437.jpg size=41.4KiB task_id=20241107-5EOELW_1
Nov 07 16:34:45 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:45 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000e000000016ff3-4.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:34:48 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:48 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=37409.jpg task_id=20241107-5EOELW_1
Nov 07 16:34:48 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:34:48 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=37409.jpg size=39.5KiB task_id=20241107-5EOELW_1
Nov 07 16:35:11 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:11 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=59831.jpg task_id=20241107-5EOELW_1
Nov 07 16:35:11 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:11 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=59831.jpg size=39.5KiB task_id=20241107-5EOELW_1
Nov 07 16:35:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:35:11 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 07 16:35:16 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:16 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0003000000014741-5.dat' task_id=20241107-5EOELW_1
Nov 07 16:35:17 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:17 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0003000000014741-6.dat' task_id=20241107-5EOELW_1
Nov 07 16:35:21 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:21 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0003000000014741-5.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:35:23 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:23 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0003000000014741-6.dat' size=4.9MiB task_id=20241107-5EOELW_1
Nov 07 16:35:31 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:31 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000900000001715a-7.dat' task_id=20241107-5EOELW_1
Nov 07 16:35:31 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:35:31 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000900000001715a-7.dat' size=75.0KiB task_id=20241107-5EOELW_1
Nov 07 16:36:05 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:36:05 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=113990.jpg task_id=20241107-5EOELW_1
Nov 07 16:36:05 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:36:05 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=113990.jpg size=39.5KiB task_id=20241107-5EOELW_1
Nov 07 16:36:11 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:11 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 07 16:36:25 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:25 DEBUG [cuckoo.node.taskrunner]: Task run timeout reached. timeout=120 task_id=20241107-5EOELW_1
Nov 07 16:36:25 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:25 DEBUG [cuckoo.node.taskrunner]: Requesting machine stop. machine=win10vm_01 task_id=20241107-5EOELW_1
Nov 07 16:36:25 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:25 DEBUG [cuckoo.node.machinery]: Machine action request. machine=win10vm_01 action=<function stop at 0x776f9ca2d7e0>
Nov 07 16:36:25 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:25 DEBUG [cuckoo.node.machinery]: Starting work. machine=win10vm_01 action=<function stop at 0x776f9ca2d7e0>
Nov 07 16:36:26 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:26 DEBUG [cuckoo.common.netcapture]: Stopping tcpdump process. pid=50008
Nov 07 16:36:26 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:26 DEBUG [cuckoo.common.netcapture]: Reading tcpdump process stderr. Process has not exited yet. Waiting for it to exit. pid=50008 timeout=60
Nov 07 16:36:26 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:26 DEBUG [cuckoo.node.machinery]: Updating machine state. machine=win10vm_01 newstate=poweroff
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:28 DEBUG [cuckoo.node.taskrunner]: Asking resultserver to unmap IP-task. ip=192.168.30.11 task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:28 DEBUG [cuckoo.node.taskrunner]: Asking rooter to disable requested route. route=type=internet task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:28 DEBUG [cuckoo.node.taskrunner]: Sending task done state to state controller. task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49720]: 2024-11-07 16:36:28 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='logs/threemon.pb' size=7.4MiB task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49733]: 2024-11-07 16:36:28 INFO  [cuckoo.node.taskrunner]: Task completed. task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:28 DEBUG [cuckoo.control]: Queueing task for post analysis processing. task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:28 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:28 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=post0 job=<Worktype=post, analysis_id=20241107-5EOELW, task_id=20241107-5EOELW_1>
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:28 INFO  [cuckoo.processing.worker]: Starting work. worker=post0 worktype=post task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:28 DEBUG [cuckoo.processing.worker]: Using event consumers. event_consumers=[<cuckoo.processing.post.eventconsumer.eventlogs.EventJSONFiles object at 0x7e3c835de200>, <cuckoo.processing.post.eventconsumer.patternsigs.PatternFinder object at 0x7e3c835de260>, <cuckoo.processing.post.eventconsumer.injection.ProcessInjection object at 0x7e3c835de320>, <cuckoo.processing.post.eventconsumer.suspicious.SuspiciousEventScoring object at 0x7e3c835de380>] task_id=20241107-5EOELW_1
Nov 07 16:36:28 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:28 DEBUG [cuckoo.processing.worker]: Chose translator for logfile. logfile=threemon.pb translator_class=<class 'cuckoo.processing.event.translate.threemon.reader.ThreemonReader'> task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Pcapreader stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=NetworkPatternSignatures stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=ProcMemCfgExtract stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=ScreenshotTiming stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SuricataPcap stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 WARN  [cuckoo.processing.worker]: Error sending command to Suricata. comand=pcap-file args={'filename': '/home/cuckoo/.cuckoocwd/storage/analyses/20241107/5EOELW/task_1/dump.pcap', 'output-dir': '/home/cuckoo/.cuckoocwd/storage/analyses/20241107/5EOELW/task_1/suricata'} error=Command not found: pcap-file task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49757]: 2024-11-07 16:36:30 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=TLSMasterSecrets stage=post task_id=20241107-5EOELW_1
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:30 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=post0 job=<Worktype=post, analysis_id=20241107-5EOELW, task_id=20241107-5EOELW_1>
Nov 07 16:36:30 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:36:30 INFO  [cuckoo.control]: Setting task to reported. task_id=20241107-5EOELW_1
Nov 07 16:37:28 IR-Cuckoo3 cuckood.sh[49711]: 2024-11-07 16:37:28 DEBUG [cuckoo.scheduler]: No new tasks(s)

~/.cuckoocwd/conf/processing/suricata.yaml:

# Enable Suricata pcap processing. Suricata must have unix-command enabled in
# its configuration file. Log giles created by Suricata will be owned by the
# user running Suricata. The Cuckoo user has to be able to read and delete
# these files.
enabled: True

# The Suricata unix socket that Cuckoo can use to send pcap processing
# commands. Pleas ensure the Cuckoo user can read and write to this unix socket.
unix_sock_path: /var/run/suricata/suricata-command.socket

# The maximum time in seconds processing should wait for Suricata
# to finish processing the submitted pcap file.
process_timeout: 60

# The file name of the eve log.
evelog_filename: eve.json

# Classification.config file path.
classification_config: /etc/suricata/classification.config

# A mapping of signature class types from the suricata classification.config
# to a Cuckoo scoring level. The task will at least be marked as the mapped
# scoring level if a signature of the class type is triggered.
# Triggered signatures of class types not mapped here are ignored.
# Available scoring levels: informational, suspicious, likely malicious,
# malicious, and known bad.
classtype_scores:
  command-and-control: known bad
  exploit-kit: known bad
  domain-c2: malicious
  trojan-activity: malicious
  targeted-activity: likely malicious
  shellcode-detect: likely malicious
  coin-mining: likely malicious
  external-ip-check: suspicious
  non-standard-protocol: informational

# A list on Suricata signature IDs (sid) that should always be ignored.
# This can be used to ignore faulty/noisy signatures.
ignore_sigids:

Configuration of unix-command in /etc/suricata/suricata.yaml:

...
# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
  enabled: yes
  filename: /var/run/suricata/suricata-command.socket
...

The cuckoo user and group own / have RW access to the suricata-command.socket file:

cuckoo@IR-Cuckoo3:~/.cuckoocwd$ ll /var/run/suricata/
total 0
drwxr-xr-x  2 root   root     60 Nov  7 16:30 ./
drwxr-xr-x 32 root   root   1100 Nov  7 16:33 ../
srw-rw----  1 cuckoo cuckoo    0 Nov  7 16:30 suricata-command.socket=

Thinking this could be a permission issue I gave the cuckoo user execution permissions and the issue still occured:

cuckoo@IR-Cuckoo3:~/.cuckoocwd$ chmod 775 /var/run/suricata/suricata-command.socket
cuckoo@IR-Cuckoo3:~/.cuckoocwd$ ll /var/run/suricata
total 0
drwxr-xr-x  2 root   root     60 Nov  7 17:03 ./
drwxr-xr-x 32 root   root   1100 Nov  7 17:03 ../
srwxrwxr-x  1 cuckoo cuckoo    0 Nov  7 17:03 suricata-command.socket=

To Reproduce
Install Suricata 7.0.7, enable Suricata in suricata.yaml, reload Cuckoo service.

Expected behavior
Suricata receives the dump.pcap file produced by Cuckoo for analysis.

[cert-ee-raidar]

Thank you @ryanorm for submitting the issue.

I will have to look into it and be back with you as soon as I have some answers.

[cert-ee-raidar]

@ryanorm
Can you please share the content of the following two files:

• suricata.yaml which should be at /etc/suricata/suricata.yaml
  and
• suricata.log file which should be at /var/log/suricata/suricata.log

[ryanorm]

@cert-ee-raidar

The requested files are below.

suricata.log
suricata.yaml.txt

I've noticed this morning that after a VM reboot the file permissions of /var/run/suricata/suricata-command.socket have reverted back to root user ownership causing the error Constraint violation for key unix_sock_path: Path /var/run/suricata/suricata-command.socket does not exist or is not a unix socket.

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ ll /var/run/suricata/
total 0
drwxr-xr-x  2 root root   60 Nov  8 09:22 ./
drwxr-xr-x 31 root root 1080 Nov  8 09:22 ../
srw-rw----  1 root root    0 Nov  8 09:22 suricata-command.socket

Cuckoo service log:

Nov 08 09:22:33 IR-Cuckoo3 systemd[1]: Started Cuckoo Sandbox Service.
Nov 08 09:22:33 IR-Cuckoo3 sudo[2264]:   cuckoo : PWD=/opt/cuckoo3 ; USER=root ; COMMAND=/opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24
Nov 08 09:22:33 IR-Cuckoo3 sudo[2264]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: Assigning 192.168.30.1/24 to already existing bridge br0
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: Bridge created and configured!
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: Ensure an 'allow br0' entry exists in the 'qemu-bridge-helper' ACL file.
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: ACL file should usually be at /etc/qemu/bridge.conf or /usr/local/etc/qemu/bridge.conf. This depends on the bridge helper binary.
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: Ensure 'qemu-bridge-helper' has setuid bit so it can create interfaces for this bridge.
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: Binary is usually located at: /usr/lib/qemu/qemu-bridge-helper or /usr/local/libexec/qemu-bridge-helper
Nov 08 09:22:33 IR-Cuckoo3 cuckood.sh[2265]: See https://wiki.qemu.org/Features/HelperNetworking
Nov 08 09:22:33 IR-Cuckoo3 sudo[2264]: pam_unix(sudo:session): session closed for user root
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 INFO  [cuckoo.startup]: Starting Cuckoo. cwd=/home/cuckoo/.cuckoocwd
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 INFO  [cuckoo.startup]: Loading configurations
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/cuckoo.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/analysissettings.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/identification.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/virustotal.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/irma.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/mhr.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/misp.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/intelmq.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/elasticsearch.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.startup]: Loading config. confpath=/home/cuckoo/.cuckoocwd/conf/processing/suricata.yaml
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 ERROR [cuckoo.common.log]: Failure during Cuckoo startup: Failed to load config file /home/cuckoo/.cuckoocwd/conf/processing/suricata.yaml. Error in config file: /home/cuckoo/.cuckoocwd/conf/processing/suricata.yaml. Constraint violation for key unix_sock_path: Path /var/run/suricata/suricata-command.socket does not exist or is not a unix socket.
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.shutdown]: Calling shutdown method. method=<function main.<locals>._stopmsg at 0x77b2ff1f2710>
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: 2024-11-08 09:22:35 DEBUG [cuckoo.common.shutdown]: Calling shutdown method. method=<function stop_queue_listener at 0x77b2ff15f400>
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: Stopping Cuckoo..
Nov 08 09:22:35 IR-Cuckoo3 cuckood.sh[2270]: Failure during Cuckoo startup: Failed to load config file /home/cuckoo/.cuckoocwd/conf/processing/suricata.yaml. Error in config file: /home/cuckoo/.cuckoocwd/conf/processing/suricata.yaml. Constraint violation for key unix_sock_path:>
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Failed with result 'exit-code'.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Consumed 1.314s CPU time.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Scheduled restart job, restart counter is at 5.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: Stopped Cuckoo Sandbox Service.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Consumed 1.314s CPU time.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Start request repeated too quickly.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: cuckoo3.service: Failed with result 'exit-code'.
Nov 08 09:22:35 IR-Cuckoo3 systemd[1]: Failed to start Cuckoo Sandbox Service.

Running sudo chown cuckoo:cuckoo /var/run/suricata/suricata-command.socket fixes this error and the Cuckoo service runs as expected after a restart. After this change the 'pcap-file' command not found error still occurs.

[cert-ee-raidar]

Thank you!
We will look into it.

[cert-ee-raidar]

@ryanorm

The problem might be that Suricata is not run under cuckoo user and therefore you get error that pcap-file cannot be found as well as permission problems after reboot.

Change your suricata.yaml configuration so it will run as cuckoo

# Run Suricata with a specific user-id and group-id:
run-as:
  user: cuckoo
  group: cuckoo

Let me know if the issue persists.

[ryanorm]

@cert-ee-raidar I went ahead and made that change and restarted the suricata and cuckoo services - the same command not found error occured.

I then made file permission changes for the cuckoo user as per Suricata docs here because of some log file access permission errors after setting suricata to run under cuckoo.

Permissions on /etc/suricata and /var/log/suricata now look like this

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ ll /etc/suricata/
total 108
drwxr-xr-x   2 root cuckoo  4096 Nov  8 14:42 ./
drwxr-xr-x 114 root root    4096 Nov  7 21:55 ../
-rw-r--r--   1 root cuckoo  1024 Nov  8 14:42 .suricata.yaml.swp
-rw-r--r--   1 root cuckoo  3327 Oct  1 06:11 classification.config
-rw-r--r--   1 root cuckoo  1375 Oct  1 06:11 reference.config
-rw-r--r--   1 root cuckoo 85957 Nov  8 14:34 suricata.yaml
-rw-r--r--   1 root cuckoo  1643 Oct  1 06:11 threshold.config
cuckoo@IR-Cuckoo3:/opt/cuckoo3$ ll /var/log/suricata/
total 377128
drwxr-xr-x  5 root   cuckoo      4096 Nov  7 15:07 ./
drwxrwxr-x 15 root   syslog      4096 Nov  8 09:22 ../
drwxr-xr-x  2 root   cuckoo      4096 Oct  1 12:09 certs/
drwxr-xr-x  2 root   cuckoo      4096 Oct  1 12:09 core/
-rw-r--r--  1 root   cuckoo 365805378 Nov  8 14:34 eve.json
-rw-r--r--  1 root   cuckoo     29557 Nov  8 14:22 fast.log
drwxr-xr-x  2 root   cuckoo      4096 Oct  1 12:09 files/
-rw-r--r--  1 root   cuckoo  20091008 Nov  8 14:34 stats.log
-rw-r--r--  1 root   cuckoo      1244 Nov  8 15:09 suricata-start.log
-rw-r--r--  1 cuckoo cuckoo    203802 Nov  8 15:10 suricata.log

After a cuckoo service restart the 'pcap-file' command not found error is still occuring. I've attached /var/log/suricata/suricata.log - it doesn't show any issues loading the suricata socket, or any thing that I can think would show the cause of the problem, can you make more out of it?

2024-11-08-suricata.log

Nov 08 14:59:58 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 14:59:58 INFO  [cuckoo.control]: Tracked new analyses. amount=1
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 14:59:59 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=identification0 job=<Worktype=identification, analysis_id=20241108-7ORJKZ>
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 INFO  [cuckoo.processing.worker]: Starting work. worker=identification0 worktype=identification analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Identify stage=identification analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=FileSafelist stage=identification analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SelectFile stage=identification analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 DEBUG [cuckoo.processing.worker]: File selected. file='f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe' analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31861]: 2024-11-08 14:59:59 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=identification analysis_id=20241108-7ORJKZ
Nov 08 14:59:59 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 14:59:59 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=identification0 job=<Worktype=identification, analysis_id=20241108-7ORJKZ>
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:02 DEBUG [cuckoo.common.submit]: Supporting node for route found. node=local route=type=internet
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:02 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=pre0 job=<Worktype=pre, analysis_id=20241108-7ORJKZ>
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:02 INFO  [cuckoo.processing.worker]: Starting work. worker=pre0 worktype=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:02 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=DetermineTarget stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:02 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=CreateZip stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:02 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:02 DEBUG [cuckoo.processing.worker]: Finding child archive for selected file and normalizing to zip. analysis_id=20241108-7ORJKZ
Nov 08 15:00:03 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:03 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=DetermineLaunchArgs stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:03 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:03 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=FileInfoGather stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:04 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=StaticYaraRules stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:04 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Virustotal stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:04 WARN  [cuckoo.processing.worker]: Error while making Virustotal request. error=Virustotal request failed: Quota exceeded analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31862]: 2024-11-08 15:00:04 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=pre analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:04 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=pre0 job=<Worktype=pre, analysis_id=20241108-7ORJKZ>
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:04 DEBUG [cuckoo.control]: Creating tasks for analysis. analysis_id=20241108-7ORJKZ
Nov 08 15:00:04 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:04 DEBUG [cuckoo.common.task]: Creating task. task_id=20241108-7ORJKZ_1 platform=windows os_version=10
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.scheduler]: Searching for work to assign
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.scheduler]: Adding entry to task starter queue. task_id=20241108-7ORJKZ_1 machine=win10vm_01 node=local
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 INFO  [cuckoo.scheduler]: Assigning startable task to node. task_id=20241108-7ORJKZ_1 node=local machine=win10vm_01
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.node]: Asking taskrunner to start task. task_id=20241108-7ORJKZ_1 machine=win10vm_01 resultserver=192.168.30.1:2042
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 INFO  [cuckoo.control]: Setting task to state running. task_id=20241108-7ORJKZ_1
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:05 INFO  [cuckoo.node.taskrunner]: Task starting. task_id=20241108-7ORJKZ_1 machine=win10vm_01 target='f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe'
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.taskrunner]: Asking resultserver to map for IP to task. ip=192.168.30.11 task_id=20241108-7ORJKZ_1
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.taskrunner]: Initializing taskflow. taskflowkind=standard task_id=20241108-7ORJKZ_1
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.taskrunner]: Requesting machine start. machine=win10vm_01 task_id=20241108-7ORJKZ_1
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.machinery]: Machine action request. machine=win10vm_01 action=<function restore_start at 0x7c1bb4701a20>
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.node.machinery]: Starting work. machine=win10vm_01 action=<function restore_start at 0x7c1bb4701a20>
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.common.netcapture]: Starting tcpdump. args=['/usr/bin/tcpdump', '-i', 'br0', '-U', '-s', '0', '-n', '-w', '/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/dump.pcap', 'host', '192.168.30.11', 'and', 'not', '(', 'dst', 'host', '192.168.30.1', 'and', 'dst', 'port', '2042', ')', 'and', 'not', '(', 'src', 'host', '192.168.30.1', 'and', 'src', 'port', '2042', ')', 'and', 'not', '(', 'dst', 'host', '192.168.30.11', 'and', 'dst', 'port', '8000', ')', 'and', 'not', '(', 'src', 'host', '192.168.30.11', 'and', 'src', 'port', '8000', ')']
Nov 08 15:00:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:05 DEBUG [cuckoo.machineries.modules.qemu]: Starting machine with command. machine=win10vm_01 command=/usr/bin/qemu-system-x86_64 -nodefaults -M q35 -vga std -smp 1 -overcommit mem-lock=off -rtc base=localtime,driftfix=slew -m 4096 -netdev type=bridge,br=br0,id=net0 -device rtl8139,netdev=net0,mac=00:0a:f7:b6:0a:32,bus=pcie.0,addr=3 -device ich9-ahci,id=ahci -device ide-hd,bus=ahci.0,unit=0,drive=disk,bootindex=2 -device ide-cd,bus=ahci.1,unit=0,drive=cdrom,bootindex=1 -device usb-ehci,id=ehci -device usb-tablet,bus=ehci.0 -soundhw hda -enable-kvm -drive if=none,id=cdrom,readonly=on -drive file=/home/cuckoo/.vmcloak/vms/qemu/win10vm_01/win10vm_01_disposable.qcow2,format=qcow2,if=none,id=disk -display none -qmp unix:/home/cuckoo/.cuckoocwd/operational/sockets/qemu_win10vm_01.sock,server,nowait -monitor none -incoming exec:/usr/bin/gzip -c -d < /home/cuckoo/.vmcloak/vms/qemu/win10vm_01/memory.snapshot
Nov 08 15:00:14 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:00:14 DEBUG [cuckoo.node.machinery]: Updating machine state. machine=win10vm_01 newstate=running
Nov 08 15:00:16 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:16 DEBUG [cuckoo.node.taskrunner]: Waiting until agent is online. agent_address=192.168.30.11:8000 task_id=20241108-7ORJKZ_1
Nov 08 15:00:16 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:16 DEBUG [cuckoo.node.taskrunner]: Agent online. task_id=20241108-7ORJKZ_1
Nov 08 15:00:16 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:16 DEBUG [cuckoo.node.taskrunner]: Requesting rooter to apply route. route=type=internet task_id=20241108-7ORJKZ_1
Nov 08 15:00:18 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:18 DEBUG [cuckoo.node.taskrunner]: Using stager. stager=tmstage task_id=20241108-7ORJKZ_1
Nov 08 15:00:18 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:18 DEBUG [cuckoo.node.taskrunner]: Preparing stager. task_id=20241108-7ORJKZ_1
Nov 08 15:00:18 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:18 DEBUG [cuckoo.node.taskrunner]: Delivering and executing payload. task_id=20241108-7ORJKZ_1
Nov 08 15:00:21 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:21 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='logs/threemon.pb' task_id=20241108-7ORJKZ_1
Nov 08 15:00:21 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:21 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=15946.jpg task_id=20241108-7ORJKZ_1
Nov 08 15:00:21 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:21 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=15946.jpg size=38.3KiB task_id=20241108-7ORJKZ_1
Nov 08 15:00:21 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:00:21 DEBUG [cuckoo.node.taskrunner]: Running until timeout. timeout=120 task_id=20241108-7ORJKZ_1
Nov 08 15:00:28 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:28 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0007000000016f93-0.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:00:28 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:28 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0007000000016f93-0.dat' size=75.0KiB task_id=20241108-7ORJKZ_1
Nov 08 15:00:37 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:37 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-1.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:00:38 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:38 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-2.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:00:38 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:38 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=33304.jpg task_id=20241108-7ORJKZ_1
Nov 08 15:00:38 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:38 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=33304.jpg size=38.5KiB task_id=20241108-7ORJKZ_1
Nov 08 15:00:42 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:42 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-1.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:00:42 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:00:42 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-2.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:05 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:05 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=59896.jpg task_id=20241108-7ORJKZ_1
Nov 08 15:01:05 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:05 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=59896.jpg size=38.5KiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:01:05 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 08 15:01:37 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:37 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0008000000016f94-3.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:38 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:38 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0007000000017154-4.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:38 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:38 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000c0000000171af-5.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:39 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:39 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000a0000000171b6-6.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:40 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:40 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0008000000016f94-3.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:40 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:40 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0195000000016e4a-7.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:41 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:41 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000c000000017303-8.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:43 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:43 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-9.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:44 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:44 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-10.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:44 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:44 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000800000001730a-11.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:44 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:44 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000a0000000171b6-6.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:45 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:45 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000c0000000171af-5.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:45 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:45 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000b00000001736b-12.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:46 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:46 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00050000000181d4-13.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:46 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:46 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000f000000017581-14.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:46 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:46 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0007000000017154-4.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:48 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:48 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00060000000180bf-15.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:49 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:49 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0195000000016e4a-7.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:49 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:49 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00090000000180d3-16.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:50 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:50 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00080000000180db-17.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:51 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:51 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000c000000017303-8.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:51 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:51 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00050000000181d4-13.dat' size=2.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:52 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:52 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00080000000180e7-18.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:53 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:53 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x00050000000180fb-19.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:54 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:54 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0004000000018105-20.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:55 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:55 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0004000000018183-21.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:56 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:56 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-10.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:56 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:56 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-9.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:56 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:56 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000800000001730a-11.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:57 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:57 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000400000001818b-22.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:01:57 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:57 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000f000000017581-14.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:01:58 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:01:58 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000f0000000181be-23.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:02:00 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:00 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000b00000001736b-12.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:02 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:02 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00060000000180bf-15.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:02 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:02 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00090000000180d3-16.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:05 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:05 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 08 15:02:05 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:05 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0004000000018105-20.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:05 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:05 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00080000000180db-17.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:06 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:06 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00050000000180fb-19.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:07 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:07 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0004000000018183-21.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:07 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:07 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x00080000000180e7-18.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:07 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:07 DEBUG [cuckoo.node.resultserver]: New screenshot upload. newfile=122292.jpg task_id=20241108-7ORJKZ_1
Nov 08 15:02:07 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:07 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=122292.jpg size=38.5KiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:08 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:08 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000400000001818b-22.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:09 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:09 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000f0000000181be-23.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:10 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:10 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-24.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:02:11 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:11 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-25.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:02:11 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:11 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x0006000000017152-26.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:02:12 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:12 DEBUG [cuckoo.node.resultserver]: New file upload starting. newfile='files/0x000c0000000171af-27.dat' task_id=20241108-7ORJKZ_1
Nov 08 15:02:17 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:17 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-24.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:17 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:17 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x000c0000000171af-27.dat' size=4.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:18 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:18 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-25.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:18 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:18 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='files/0x0006000000017152-26.dat' size=5.7MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:21 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:21 DEBUG [cuckoo.node.taskrunner]: Task run timeout reached. timeout=120 task_id=20241108-7ORJKZ_1
Nov 08 15:02:21 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:21 DEBUG [cuckoo.node.taskrunner]: Requesting machine stop. machine=win10vm_01 task_id=20241108-7ORJKZ_1
Nov 08 15:02:21 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:21 DEBUG [cuckoo.node.machinery]: Machine action request. machine=win10vm_01 action=<function stop at 0x7c1bb4701870>
Nov 08 15:02:21 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:21 DEBUG [cuckoo.node.machinery]: Starting work. machine=win10vm_01 action=<function stop at 0x7c1bb4701870>
Nov 08 15:02:22 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:22 DEBUG [cuckoo.common.netcapture]: Stopping tcpdump process. pid=31944
Nov 08 15:02:22 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:22 DEBUG [cuckoo.common.netcapture]: Reading tcpdump process stderr. Process has not exited yet. Waiting for it to exit. pid=31944 timeout=60
Nov 08 15:02:22 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:22 DEBUG [cuckoo.node.machinery]: Updating machine state. machine=win10vm_01 newstate=poweroff
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:24 DEBUG [cuckoo.node.taskrunner]: Asking resultserver to unmap IP-task. ip=192.168.30.11 task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:24 DEBUG [cuckoo.node.taskrunner]: Asking rooter to disable requested route. route=type=internet task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:24 DEBUG [cuckoo.node.taskrunner]: Sending task done state to state controller. task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31838]: 2024-11-08 15:02:24 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='logs/threemon.pb' size=5.9MiB task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31849]: 2024-11-08 15:02:24 INFO  [cuckoo.node.taskrunner]: Task completed. task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:24 DEBUG [cuckoo.control]: Queueing task for post analysis processing. task_id=20241108-7ORJKZ_1
Nov 08 15:02:24 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:24 DEBUG [cuckoo.scheduler]: No new tasks(s)
Nov 08 15:02:25 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:25 DEBUG [cuckoo.runprocessing]: Assigning job to worker. workername=post0 job=<Worktype=post, analysis_id=20241108-7ORJKZ, task_id=20241108-7ORJKZ_1>
Nov 08 15:02:25 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:25 INFO  [cuckoo.processing.worker]: Starting work. worker=post0 worktype=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:25 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:25 DEBUG [cuckoo.processing.worker]: Using event consumers. event_consumers=[<cuckoo.processing.post.eventconsumer.eventlogs.EventJSONFiles object at 0x755b68bde2f0>, <cuckoo.processing.post.eventconsumer.patternsigs.PatternFinder object at 0x755b68bde350>, <cuckoo.processing.post.eventconsumer.injection.ProcessInjection object at 0x755b68bde410>, <cuckoo.processing.post.eventconsumer.suspicious.SuspiciousEventScoring object at 0x755b68bde470>] task_id=20241108-7ORJKZ_1
Nov 08 15:02:25 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:25 DEBUG [cuckoo.processing.worker]: Chose translator for logfile. logfile=threemon.pb translator_class=<class 'cuckoo.processing.event.translate.threemon.reader.ThreemonReader'> task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:26 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=Pcapreader stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=NetworkPatternSignatures stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=ProcMemCfgExtract stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=ScreenshotTiming stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SuricataPcap stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 WARN  [cuckoo.processing.worker]: Error sending command to Suricata. comand=pcap-file args={'filename': '/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/dump.pcap', 'output-dir': '/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/suricata'} error=Command not found: pcap-file task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=JSONDump stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31863]: 2024-11-08 15:02:27 DEBUG [cuckoo.processing.worker]: Running reporting plugin. plugin=TLSMasterSecrets stage=post task_id=20241108-7ORJKZ_1
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:27 DEBUG [cuckoo.runprocessing]: Worker finished job. workername=post0 job=<Worktype=post, analysis_id=20241108-7ORJKZ, task_id=20241108-7ORJKZ_1>
Nov 08 15:02:27 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:02:27 INFO  [cuckoo.control]: Setting task to reported. task_id=20241108-7ORJKZ_1
Nov 08 15:03:24 IR-Cuckoo3 cuckood.sh[31831]: 2024-11-08 15:03:24 DEBUG [cuckoo.scheduler]: No new tasks(s)

/var/run/suricata/suricata-command.socket permissions (with the recently updated cuckoo group)

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ ll /var/run/suricata
total 0
drwxrwsr-x  2 root   cuckoo   60 Nov  8 14:54 ./
drwxr-xr-x 31 root   root   1080 Nov  8 14:54 ../
srw-rw----  1 cuckoo cuckoo    0 Nov  8 14:54 suricata-command.socket=

Specific contents of /etc/suricata/suricata.yaml I think that are relevant:

# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
  enabled: yes
  filename: /var/run/suricata/suricata-command.socket

......

# Run Suricata with a specific user-id and group-id:
run-as:
  user: cuckoo
  group: cuckoo

[ryanorm]

@cert-ee-raidar The suricata docs say the python-simplejson package is required to provide JSON support to Python to send commands to Suricata. I am wondering if the JSON arguments that Cuckoo is sending to Suricata is not being sent correctly?

Using the last Cuckoo log example I gave the args passed to Suricata were {'filename': '/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/dump.pcap', 'output-dir': '/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/suricata'}

I've tried a few JSON parsers/validators and this seems to be invalid JSON, replacing single quotes with double quotes resolved this issue.

{"filename": "/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/dump.pcap", "output-dir": "/home/cuckoo/.cuckoocwd/storage/analyses/20241108/7ORJKZ/task_1/suricata"}

[cert-ee-raidar]

Thank you for the extensive amount of information.
It's going to take a bit before I can get back to trying to reproduce the issue locally.
I will get back to you in a few days.
If you manage to resolve it in the meanwhile or gain more information, share it freely.

[cert-ee-raidar]

Unfortunetly it will take a bit more than few days. Sorry for the wait.

[ryanorm]

@cert-ee-raidar Thank you for the update. If I have time this week I will look at downgrading Suricata and re-testing. If I have updates I will share them.

[ryanorm]

@cert-ee-raidar Unfortunatley no progress with the command not found error with Suricata. I've tested Suricata 7.0.7 with the socket file located under /etc/suricata/socket/ and the command not found error persists. EDIT: I've reverted the changes made below, but included them in case you were going to try this.

Side note - Any permission changes made to /var/run/suricata/suricata-command.socket were being reverted on server reboot, meaning this folder/file was owned by root which stopped the Cuckoo service from starting.

Configuring /etc/suricata/suricata.yaml and ~/.cuckoocwd/conf/processing/suricata.yaml to use a path under /etc/suricata/ fixed this issue.

Created folder /etc/suricata/socket/ and changed ownership of this foler to cuckoo user

chgrp -R suricata /etc/suricata
chmod -R g+r /etc/suricata
sudo chown cuckoo:cuckoo /etc/suricata/socket/

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ ll /etc/suricata/
total 108
drwxr-xr-x   3 cuckoo cuckoo  4096 Nov 18 12:04 ./
drwxr-xr-x 114 root   root    4096 Nov  7 21:55 ../
-rw-r--r--   1 cuckoo cuckoo  3327 Oct  1 06:11 classification.config
-rw-r--r--   1 cuckoo cuckoo  1375 Oct  1 06:11 reference.config
drwxr-xr-x   2 cuckoo cuckoo  4096 Nov 18 11:35 socket/
-rw-r--r--   1 cuckoo cuckoo 86015 Nov 18 12:00 suricata.yaml
-rw-r--r--   1 cuckoo cuckoo  1643 Oct  1 06:11 threshold.config

Edited /etc/suricata/suricata.yaml to:

unix-command:
  enabled: yes
  #filename: /var/run/suricata/suricata-command.socket
  filename: /etc/suricata/socket/suricata-command.socket

Edited ~/.cuckoocwd/conf/processing/suricata.yaml to:

# The Suricata unix socket that Cuckoo can use to send pcap processing
# commands. Pleas ensure the Cuckoo user can read and write to this unix socket.
unix_sock_path: /etc/suricata/socket/suricata-command.socket
#unix_sock_path: /var/run/suricata/suricata-command.socket

[ryanorm]

@cert-ee-raidar

TLDR: I believe the original "pcap-file" command not found error is caused because my Suricata service was not running in "PCAP processing mode" - details below. With one additional change to Suricata's config I was able to submit PCAP files for manual analysis. Cuckoo still needs some changes to make this happen automatically.

When running the suricatasc command (the script for interfacing with the Suricata socket) with the Suricata service running it says there is no command named pcap-file - this is where the original error might be coming from. Note below that 38 commands are available.

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ suricatasc /var/run/suricata/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, reload-tenants, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, get-flow-stats-by-id, dataset-dump, dataset-clear, dataset-lookup, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>> pcap-file
L246: Unknown command: pcap-file
>>>

I believe this is because the suricata service is not running in "PCAP processing mode" as defined in Suricat's documentation here

I stopped the Suricata service (sudo systemctl stop suricata.service) and ran this command to run Suricata in PCAP processing mode: sudo suricata -c /etc/suricata/suricata.yaml --unix-socket

Starting a Suricata process in "PCAP procssing mode"

cuckoo@IR-Cuckoo3:/etc/suricata$ sudo suricata -c /etc/suricata/suricata.yaml --unix-socket
i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
i: threads: Threads created ->   Engine started.

Then when I ran suricatasc again the pcap-file command is available (see below there are now 41 commands available now).

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ suricatasc /var/run/suricata/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, reload-tenants, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, get-flow-stats-by-id, dataset-dump, dataset-clear, dataset-lookup, pcap-file, pcap-file-continuous, pcap-file-number, pcap-file-list, pcap-last-processed, pcap-interrupt, pcap-current, quit
>>> pcap-file
L232: Missing arguments: expected at least 2
>>>

Therefore I think this does give a good answer to the original issue. It might be good advice that Cuckoo deployments do not use Suricata running as a service.

Manually processing Cuckoo PCAP files with Suricata

However when I run the pcap-file command to add a PCAP file for analysis the main Suricata process stops with an error "E: threads: Unable to create thread with pthread_create(): retval 11: Resource temporarily unavailable".

I had to edit /etc/suricata/suricata.yaml to allow Suricata to create child processes (source).

Set limit-noproc to false:

security:
  # if true, prevents process creation from Suricata by calling
  # setrlimit(RLIMIT_NPROC, 0)
  limit-noproc: false

Running the pcap-file command again with a PCAP generated from a Cuckoo analysis was then successful, Suricata received the file, and dumped three output files at the output directory location.

suricatasc command input:

cuckoo@IR-Cuckoo3:/opt/cuckoo3$ suricatasc /var/run/suricata/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, reload-tenants, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, get-flow-stats-by-id, dataset-dump, dataset-clear, dataset-lookup, pcap-file, pcap-file-continuous, pcap-file-number, pcap-file-list, pcap-last-processed, pcap-interrupt, pcap-current, quit
>>> pcap-file /home/cuckoo/.cuckoocwd/storage/analyses/20241118/LNL0EC/task_1/dump.pcap /home/cuckoo/pcap_output
Success:
"Successfully added file to list"
>>>

Suricata process output:

cuckoo@IR-Cuckoo3:/home/CLOTHtrackGUESS$ sudo suricata -c /etc/suricata/suricata.yaml --unix-socket
i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
i: threads: Threads created ->   Engine started.
i: pcap: read 1 file, 34175 packets, 34071592 bytes

[ryanorm]

@cert-ee-raidar I have been able to get Suricata working consistently now, PCAPs are submitted to Suricata and alerts are displayed in the GUI report page.

Solution

Create a systemd service for running Suricata in "PCAP processing mode" which the main Cuckoo3 service must wait to be running before it scan start. I also moved the Suricata socket file to /opt/cuckoo3/suricata/suricata-command.socket to avoid issues with folder permissions being reset.

The Suricata service runs Suricata as the root user but the socket file is accessible to the cuckoo user. I'd welcome any suggestions on how I've written the service file - this is not my strongest area.

systemd file for cuckoo3suricata.service:

[Unit]
Description=Suricata IDS/IPS Service for Cuckoo3
After=network.target

[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket=/opt/cuckoo3/suricata/suricata-command.socket -vvv
Restart=always
RestartSec=5
User=root
Group=root
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
NoNewPrivileges=true
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

My Cuckoo3.service systemd file:

[Unit]
Description=Cuckoo Sandbox Service
After=network.target cuckoo3suricata.service
Requires=cuckoo3suricata.service
StartLimitIntervalSec=60
StartLimitBurst=5

[Service]
Type=simple
User=cuckoo
ExecStart=/opt/cuckoo3/cuckood.sh
WorkingDirectory=/opt/cuckoo3
Environment="PATH=/opt/cuckoo3/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Restart=on-failure

[Install]
WantedBy=multi-user.target

My /etc/suricata/suricata.yaml file:

# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
  enabled: yes
  filename: /opt/cuckoo3/suricata/suricata-command.socket

My : ~/.cuckoocwd/conf/processing/suricata.yaml file:

# The Suricata unix socket that Cuckoo can use to send pcap processing
# commands. Pleas ensure the Cuckoo user can read and write to this unix socket.
unix_sock_path: /opt/cuckoo3/suricata/suricata-command.socket

Log showing execution of the SuricataPcap analysis plugin:

Nov 19 15:15:36 IR-Cuckoo3 cuckood.sh[7402]: 2024-11-19 15:15:36 DEBUG [cuckoo.processing.worker]: Running processing plugin. plugin=SuricataPcap stage=post task_id=20241119-96AO8F_1

Output of Cuckoo3suricata.service showing PCAP processing from Cuckoo:

[cert-ee-raidar]

@ryanorm
Awesome!

When I get the chance, I will go over it in practice and then add it to our documentation.
Thank you for all the detailed information!

Once I have worked through it I will close the issue myself.

[LM-CT]

I followed the steps laid out by @ryanorm and can confirm everything is working!

I have yet to test it with known malware to see how it performs, but that's for another time.

[ryanorm]

@LM-CT thats great news. I've been running Cuckoo with these steps in place for two weeks and have had stable service start and task execution.

@cert-ee-raidar if you need me to generate some documentation for this I will be happy to do so.

[cert-ee-raidar]

@ryanorm
Yes, please do. Every bit helps.
We have a documentation template for adding new documentation and you can link a pull request with it.

Please add the new guide under configuring section
And add an entry - Suricata: configuring/suricata.md into mkdocs.yml

You can follow our Contributing guide to get started. It may be a bit raw so suggestions are also welcome.

We do net yet have a documenting guide, but the gist of it is:

• Keep it simple
• Use common language and avoid complicated jargon (ideally a non technical person should be able to follow it with some guiding links)
• Use code examples
• If it contains multiple sections, seperate them into H2 paragraphs and use steps: with numbered list to explain the steps user needs to take.
• Use System dependencies or VMCloak as guidelines. They are not perfect but should give the tone and style.

[LM-CT]

An update:

After a reboot, the socket file was recreated with root:root ownership, because I forgot to change the user Suricata is running under in the config.

@ryanorm
Please remember to include this part in the suricata.yaml modifications when writing the docs.

And, again, thank you for the detailed guide!