Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pcap import fails on Windows with per-machine install #2715

Closed
philrz opened this issue Mar 8, 2023 · 1 comment · Fixed by brimdata/brimcap#305 or brimdata/build-suricata#69
Closed

pcap import fails on Windows with per-machine install #2715

philrz opened this issue Mar 8, 2023 · 1 comment · Fixed by brimdata/brimcap#305 or brimdata/build-suricata#69
Assignees
@nwt
Labels
community

Comments

@philrz
Copy link
Contributor

philrz commented Mar 8, 2023

Repro is with Zui v1.0.0. This issue was first reported by a community user in a Slack thread.

The attached video shows a Windows 10 environment where Zui was installed with the "per-machine" option that was added in #2686. When a pcap is imported, an error pops up:

Unable to generate full summary logs from PCAP 
Detail: suricatarunner.exe exited with code 1
stdout: (no output)
stderr:
2023/03/07 19:36:53 makeConfig failed: open C:\Program Files\Zui\resources\app.asar.unpacked\zdeps\suricata\brim-conf-run.yaml: Access is denied.
Media1.mp4

I think I see what the problem is. The Windows suricataupdater.exe makes use of the BRIM_SURICATA_USER_DIR environment variable that's sent down from Zui here:

zui/src/plugins/brimcap/brimcap-plugin.ts

Line 78 in 904edcf

process.env.BRIM_SURICATA_USER_DIR = this.suricataUserDir

...wheres with suricatarunner.exe it seems like the creation of the brim-conf-run.yaml happens under the "zdeps" directory near where the binaries live and are intended to be read-only (https://zui.brimdata.io/docs/support/Filesystem-Paths#application-binaries). I can also see that the shell-script-based runner scripts we use on Linux/macOS do seem to make use of BRIM_SURICATA_USER_DIR so they end up writing their brim-conf-run.yaml in the separate read/write "user data" area (https://zui.brimdata.io/docs/support/Filesystem-Paths#user-data).

In conclusion, I think the suricatarunner.exe needs some enhancement to make use of the BRIM_SURICATA_USER_DIR.
@philrz philrz mentioned this issue Mar 8, 2023
Closed
nwt added a commit to brimdata/build-suricata that referenced this issue Mar 16, 2023
@nwt
honor BRIM_SURICATA_USER_DIR in Windows runner
115d5ba 
The Windows Suricata runner fails on per-machine installs of the Zui app
because it ignores the BRIM_SURICATA_USER_DIR environment variable and
tries to write a Suricata configuration file to its own directory, which
isn't writable by a non-Administrator on per-machine installs.  Fix by
writing the file to BRIM_SURICATA_USER_DIR if specified.

The Windows runner also ignores the rules file that suricataupdater.exe
generates at $BRIM_SURICATA_USER_DIR\rules\suricata.rules.  Fix by using
that file if it exists, falling back to the packaged rules file if it
does not.

For brimdata/zui#2715.
@nwt nwt mentioned this issue Mar 16, 2023
Merged
nwt added a commit to brimdata/build-suricata that referenced this issue Mar 17, 2023
@nwt
honor BRIM_SURICATA_USER_DIR in Windows runner (#69)
92aa0c4 
The Windows Suricata runner fails on per-machine installs of the Zui app
because it ignores the BRIM_SURICATA_USER_DIR environment variable and
tries to write a Suricata configuration file to its own directory, which
isn't writable by a non-Administrator on per-machine installs.  Fix by
writing the file to BRIM_SURICATA_USER_DIR if specified.

The Windows runner also ignores the rules file that suricataupdater.exe
generates at $BRIM_SURICATA_USER_DIR\rules\suricata.rules.  Fix by using
that file if it exists, falling back to the packaged rules file if it
does not.

For brimdata/zui#2715.
@philrz philrz mentioned this issue Mar 17, 2023
Merged
@philrz philrz linked a pull request Mar 17, 2023 that will close this issue
honor BRIM_SURICATA_USER_DIR in Windows runner brimdata/build-suricata#69
Merged
@philrz
Copy link
Contributor Author

philrz commented Mar 17, 2023

Verified with Zui Insiders 1.0.1-9 which includes this fix.

As shown in the attached video, now on a "per machine" install where the app binaries land in %ProgramFiles%\Zui, pcap import works now whereas it failed in the past. Another problem was fixed at the same time that's also shown in the video: Previously on Windows, the Suricata rule set that shipped with the app binaries was always being used, but now the updated one below the user data directory is used. This was tested by manually hacking a rule in %APPDATA%\Zui - Insiders\data\suricata\rules\suricata.rules that would be triggered by the pcap, then re-importing the pcap and observing that the hack is present.

Verify.mp4

Thanks @nwt!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nwt nwt

Labels
community
Projects
None yet
Milestone
No milestone
2 participants
@nwt @philrz