[Oisf-users] Configuring Suricata Auto Update with Briar IDS

Sat Jan 19 21:44:15 UTC 2019

Hey everyone,

I recently installed Suricata on a Raspberry Pi 3 using the Briar IDS - https://github.com/musicmancorley/BriarIDS

I then attempted to install Suricata-Update, however, and am running into issues, I suspect because Briar installed suricata-4.0.4 in /usr/local/src but auto-update is in /var/lib/suricata. Suricata stops running every day instead of updating, and I have to relaunch the program manually. It does not have any issues collecting traffic when I relaunch.

It fails to locate the binary for Suricata and gives me the error "No distribution rule directory found" but has been able to update my rulesets in /usr/local/src/suricata-4.0.4/rules. Do I need to move my config file?

When I run verbose mode, I get the following output:

sudo suricata-update -v

19/1/2019 -- 21:27:28 - <Debug> -- This is suricata-update version 1.0.3 (rev: 8a782d4); Python: 2.7.13 (default, Sep 26 2018, 18:42:22) - [GCC 6.3.0 20170516]

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value force -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value verbose -> True

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value enable -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-merge -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value version -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value dump-sample-configs -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-test -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value subcommand -> update

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value modify -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-reload -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-ignore -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value disable -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value etopen -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value now -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value url -> []

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value drop -> False

19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value ignore -> []

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/local/sbin

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/local/bin

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/sbin

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/bin

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /sbin

19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /bin

19/1/2019 -- 21:27:28 - <Warning> -- No suricata application binary found on path.

19/1/2019 -- 21:27:28 - <Info> -- Using default Suricata version of 4.0.0

19/1/2019 -- 21:27:28 - <Info> -- No sources configured, will use Emerging Threats Open

19/1/2019 -- 21:27:28 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz.md5.

19/1/2019 -- 21:27:28 - <Debug> -- Setting HTTP User-Agent to Suricata-Update/1.0.3 (OS: Linux; CPU: armv7l; Python: 2.7.13; Dist: debian/9.6; Suricata: 4.0.0)

19/1/2019 -- 21:27:29 - <Debug> -- Local checksum=|x|; remote checksum=|x|

19/1/2019 -- 21:27:29 - <Info> -- Remote checksum has not changed. Not fetching.

19/1/2019 -- 21:27:29 - <Warning> -- No distribution rule directory found.

19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/emerging-mobile_malware.rules.

19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/emerging-icmp.rules.

19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/tor.rules.

19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-activex.rules.

19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-icmp_info.rules.

19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-policy.rules.

19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-pop3.rules.

19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-shellcode.rules.

19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-attack_response.rules.

19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-trojan.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-dns.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-telnet.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-scada.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-misc.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/dshield.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-sql.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-inappropriate.rules.

19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-web_server.rules.

19/1/2019 -- 21:27:37 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules.

19/1/2019 -- 21:27:42 - <Debug> -- Parsing rules/emerging-user_agents.rules.

Thank you so much in advance for any advice on this. I have read through previous forum postings and have gathered that Suricata's Auto-Update can kill traffic collection if improperly configured.

Sincerely,
Paul

Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland.

Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190119/86b9e254/attachment.html>