[Oisf-users] Configuring Suricata Auto Update with Briar IDS

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Wed Jan 23 00:25:09 UTC 2019


Thanks for the advice - ran dmesg and got the following:

[  244.876165] Out of memory: Kill process 1198 (suricata-update) score 429 or sacrifice child

[  244.876180] Killed process 1198 (suricata-update) total-vm:474040kB, anon-rss:463640kB, file-rss:808kB, shmem-rss:0kB

When running "top" command I see that suricata is running twice with PID 1126 and 1011, something I had observed previously - any advice on preventing the process from running twice?

Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 20, 2019 4:40 AM, bjorn at ruberg.no <bjorn at ruberg.no> wrote:

> Last time I tried something like this on an RPi, suricata-update required quite a bit of memory causing the oom-killer to sacrifice the main Suricata process.
>
> Check your logs and/or dmesg.
>
> -------- Original Message --------
> Subject: [Oisf-users] Configuring Suricata Auto Update with Briar IDS
> From: 419telegraph298 at protonmail.com
> To: oisf-users at lists.openinfosecfoundation.org
> CC:
>
>>> Hey everyone,
>>>
>>> I recently installed Suricata on a Raspberry Pi 3 using the Briar IDS - https://github.com/musicmancorley/BriarIDS
>>>
>>> I then attempted to install Suricata-Update, however, and am running into issues, I suspect because Briar installed suricata-4.0.4 in /usr/local/src but auto-update is in /var/lib/suricata. Suricata stops running every day instead of updating, and I have to relaunch the program manually. It does not have any issues collecting traffic when I relaunch.
>>>
>>> It fails to locate the binary for Suricata and gives me the error "No distribution rule directory found" but has been able to update my rulesets in /usr/local/src/suricata-4.0.4/rules. Do I need to move my config file?
>>>
>>> When I run verbose mode, I get the following output:
>>>
>>> sudo suricata-update -v
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- This is suricata-update version 1.0.3 (rev: 8a782d4); Python: 2.7.13 (default, Sep 26 2018, 18:42:22) - [GCC 6.3.0 20170516]
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value force -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value verbose -> True
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value enable -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-merge -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value version -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value dump-sample-configs -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-test -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value subcommand -> update
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value modify -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-reload -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value no-ignore -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value disable -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value etopen -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value now -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value url -> []
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value drop -> False
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting configuration value ignore -> []
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/local/sbin
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/local/bin
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/sbin
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /usr/bin
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /sbin
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Looking for suricata in /bin
>>>
>>> 19/1/2019 -- 21:27:28 - <Warning> -- No suricata application binary found on path.
>>>
>>> 19/1/2019 -- 21:27:28 - <Info> -- Using default Suricata version of 4.0.0
>>>
>>> 19/1/2019 -- 21:27:28 - <Info> -- No sources configured, will use Emerging Threats Open
>>>
>>> 19/1/2019 -- 21:27:28 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz.md5.
>>>
>>> 19/1/2019 -- 21:27:28 - <Debug> -- Setting HTTP User-Agent to Suricata-Update/1.0.3 (OS: Linux; CPU: armv7l; Python: 2.7.13; Dist: debian/9.6; Suricata: 4.0.0)
>>>
>>> 19/1/2019 -- 21:27:29 - <Debug> -- Local checksum=|x|; remote checksum=|x|
>>>
>>> 19/1/2019 -- 21:27:29 - <Info> -- Remote checksum has not changed. Not fetching.
>>>
>>> 19/1/2019 -- 21:27:29 - <Warning> -- No distribution rule directory found.
>>>
>>> 19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/emerging-mobile_malware.rules.
>>>
>>> 19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/emerging-icmp.rules.
>>>
>>> 19/1/2019 -- 21:27:29 - <Debug> -- Parsing rules/tor.rules.
>>>
>>> 19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-activex.rules.
>>>
>>> 19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-icmp_info.rules.
>>>
>>> 19/1/2019 -- 21:27:30 - <Debug> -- Parsing rules/emerging-policy.rules.
>>>
>>> 19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-pop3.rules.
>>>
>>> 19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-shellcode.rules.
>>>
>>> 19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-attack_response.rules.
>>>
>>> 19/1/2019 -- 21:27:31 - <Debug> -- Parsing rules/emerging-trojan.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-dns.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-telnet.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-scada.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-misc.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/dshield.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-sql.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-inappropriate.rules.
>>>
>>> 19/1/2019 -- 21:27:36 - <Debug> -- Parsing rules/emerging-web_server.rules.
>>>
>>> 19/1/2019 -- 21:27:37 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules.
>>>
>>> 19/1/2019 -- 21:27:42 - <Debug> -- Parsing rules/emerging-user_agents.rules.
>>>
>>> Thank you so much in advance for any advice on this. I have read through previous forum postings and have gathered that Suricata's Auto-Update can kill traffic collection if improperly configured.
>>>
>>> Sincerely,
>>> Paul
>>>
>>> Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland.
>>>
>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190123/f818e247/attachment.html>


More information about the Oisf-users mailing list