Issues in Suricata services and cape.yaml file

[obfstr]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I did read the README!
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed
• I'm reporting the issue to the correct repository (for multi-repository projects)
• I have read and checked all configs (with all optional parts)
• Asked and no solution about my issue with deepwiki

Expected Behavior

Suricata rules to be loaded correctly during the analysis and the suricata-update.timer service to be triggered correctly.

Current Behavior

Currenly rules are not loaded and the suricata-update.timer service is not triggering.

When i try to do any analysis on CAPE. I get the following logs on the suricata.log file.

/opt/CAPEv2/storage/analyses/75/logs$ cat suricata.log

[206668 - Suricata-Main] 2025-10-30 04:58:07 Notice: suricata: This is Suricata version 8.0.0 RELEASE running in USER mode
[206668 - Suricata-Main] 2025-10-30 04:58:07 Info: cpu: CPUs/cores online: 32
[206668 - Suricata-Main] 2025-10-30 04:58:07 Info: suricata: Setting engine mode to IDS mode by default
[206668 - Suricata-Main] 2025-10-30 04:58:07 Info: exception-policy: master exception-policy set to: auto
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: suricata: Preparing unexpected signal handling
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: logopenfile: fast output device (regular) initialized: fast.log
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: logopenfile: stats output device (regular) initialized: stats.log
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: detect: No signatures supplied.
[206669 - RX#01] 2025-10-30 04:58:08 Info: pcap: Starting file run for /opt/CAPEv2/storage/analyses/75/dump.pcap
[206668 - Suricata-Main] 2025-10-30 04:58:08 Notice: threads: Threads created -> RX: 1 W: 32 FM: 1 FR: 1   Engine started.
[206669 - RX#01] 2025-10-30 04:58:08 Info: pcap: pcap file /opt/CAPEv2/storage/analyses/75/dump.pcap end of file reached (pcap err code 0)
[206668 - Suricata-Main] 2025-10-30 04:58:08 Notice: suricata: Signal Received.  Stopping engine.
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: suricata: time elapsed 0.554s
[206669 - RX#01] 2025-10-30 04:58:08 Notice: pcap: read 1 file, 3 packets, 294 bytes
[206668 - Suricata-Main] 2025-10-30 04:58:08 Info: counters: Alerts: 0

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

Steps to Reproduce

After seeing the logs in suricata.log file. I checked the cape.yaml file and tried to run the cape.yaml file using

sudo suricata -T -c /etc/suricata/cape.yaml

The output was:

Notice: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 32
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: Preparing unexpected signal handling
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Error: suricata: stacktrace:sig 11:__nss_database_lookup+0x0000ba9b;StatsSetupPostConfigPreOutput+0x00000175;PreRunPostPrivsDropInit+0x00000012;SuricataInit+0x000001d0;main+0x00000063;__libc_init_first+0x0000008a;__libc_start_main+0x0000008b;_start+0x00000025
Segmentation fault

I think the error is in syntax of the YAML file.

I replaced the cape.yaml file with the following file

%YAML 1.1
---

default-rule-path: /etc/suricata/rules
rule-files:
  - suricata.rules

mpm-algo: hs

stream:
  reassembly:
    depth: 0
  checksum-validation: none

netmap:
  checksum-checks: no

pcap-file:
  checksum-checks: no

app-layer:
  protocols:
    http:
      libhtp:
        default-config:
          request-body-limit: 0
          response-body-limit: 0
    tls:
      ja3-fingerprints: yes

vars:
  address-groups:
    HOME_NET: "[CAPE Host network,CAPE VM network]"   # Replace with your own network ranges.
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
  port-groups:
    HTTP_PORTS: "80,8080,8000,8888,81,82,8008"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    FILE_DATA_PORTS: "80,110,143,25,21,23,443"
    FTP_PORTS: 21
    SSH_PORT: 22
# Security tweaks
security:
  limit-noproc: false

outputs:
  - file-store:
      version: 2
      enabled: yes
      dir: /var/lib/suricata/files
      write-fileinfo: yes
      force-filestore: yes
      stream-depth: 0

Defining the HOME_NET, EXTERNAL_NET etc variables is important because these rules are fetched from emerging threats suricata rules and these variables are defined in the rules. If we dont define these rules in the YAML file, rules will not be loaded.

Regarding the suricata-update.timer service

I was getting these logs from sudo systemctl status suricata-update.timer

Oct 29 07:33:31 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 10:47:21 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 10:48:04 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 10:48:10 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 10:49:37 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 11:46:41 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring. 
Oct 29 11:50:57 detact systemd[1]: /usr/lib/systemd/system/suricata-update.timer:7: Unknown key name 'unit' in section 'Timer', ignoring.

I think it needs to be updated to

[Unit]
Description=Run suricata-update hourly and at boot

[Timer]
OnBootSec=15min
OnUnitActiveSec=1h
Unit=suricata-update.service 

[Install]
WantedBy=timers.target

Can anyone test the cape.yaml file and suricata-update.timer and tell if it is correct or we can come up with a better solution?

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
OS version	Ubuntu 24
Suricata version	8.0.0

Failure Logs

Please include any relevant log snippets or files here.

[doomedraven]

hello, suricaat 8 has too many changes that are not backward compatible, i have tried to fix it but no success neither can spend more time on investigating how to fix you. my suggestion is to downgrade to v7 or find a solution to all their changes

[obfstr]

Okay. Thank you for clarifying.