[Oisf-users] Configuring Suricata Auto Update with Briar IDS

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Sat Jan 26 17:12:25 UTC 2019 

Greetings all,


https://suricata-update.readthedocs.io/en/latest/quickstart.html#configure-suricata-to-load-suricata-update-managed-rules

In accordance with the Suricata auto update instructions I created a new group "suricata" w/ a user "dave" for the following directories:

/var/lib/suricata
drwxrwxrw- 2 dave suricata 4096 Jan 19 18:55 rules
drwxrwxrwx 3 dave suricata 4096 Jan 19 18:53 update

my default directory for suricata is not  /etc/suricata, but /usr/local/src

drwxr-xr-x 13 dave suricata 4096 Jan 26 02:01 suricata-4.0.4

(I'm still a noobie when it comes to Linux group permissions so I may be doing something very wrong)

I still ran into the issue of Suricata ceasing to function after a certain point after restarting:

-rw-r--r-- 1 root root       0 Jan 26 06:25 eve.json
-rw-r--r-- 1 root root       0 Jan 26 06:25 suricata.log
-rw-r--r-- 1 root root       0 Jan 26 06:25 stats.log
-rw-r--r-- 1 root root       0 Jan 26 06:25 http.log
-rw-r--r-- 1 root root       0 Jan 26 06:25 fast.log
-rw-r--r-- 1 root root 1901920 Jan 26 06:25 eve.json-20190126.gz
-rw-r--r-- 1 root root  196375 Jan 26 06:25 stats.log-20190126.gz
-rw-r--r-- 1 root root     353 Jan 26 04:47 fast.log-20190126.gz



Would the best step at this point be to reinstall Suricata without Briar IDS so that I have the latest Suricata version? Currently Briar installs 4.0.4.


Thank you,
Paul


Sent from ProtonMail, encrypted email based in Switzerland.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, January 25, 2019 9:05 PM, <419telegraph298 at protonmail.com> wrote:

> When I first launch Suricata via Briar IDS it displays that Suricata-M+ is using 100% of CPU and it always displays two separate instances via top w/ PID 1032 and 1179
>
> Sent from ProtonMail, encrypted email based in Switzerland.
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, January 25, 2019 4:44 PM, 419telegraph298 at protonmail.com wrote:
>
> > Dear Shivani,
> > Thank you very much for your assistance - when I tried auto-update again I SSHed into the pi through a different terminal and checked processes, it does indeed crowd out the CPU, reaching almost 100%:
> > 26133 root 20 0 112448 108524 6768 R 99.7 11.4 0:06.69 suricata-update
> > Sent from ProtonMail, encrypted email based in Switzerland.
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Friday, January 25, 2019 12:25 AM, Shivani Bhardwaj shivanib134 at gmail.com wrote:
> >
> > > On Fri, Jan 25, 2019 at 10:16 AM 419telegraph298 at protonmail.com wrote:
> > >
> > > > Hi - did you have something to add?
> > >
> > > I don't think I have anything to add for the file permission issue. If
> > > you see it happening despite the correct permissions, please let us
> > > know.
> > > About the OOM errors you're facing, we're currently investigating that
> > > and it is being tracked here:
> > > https://redmine.openinfosecfoundation.org/issues/2791
> > > Thanks for reporting this.
> > >
> > > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > > Sent with ProtonMail Secure Email.
> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > On Wednesday, January 23, 2019 12:56 AM, Shivani Bhardwaj shivanib134 at gmail.com wrote:
> > > >
> > > > > Hello!
> > > > > On Wed, Jan 23, 2019 at 6:06 AM 419telegraph298 at protonmail.com wrote:
> > > > >
> > > > > > Thanks Jason, I tried to change the path as you specified and got this:
> > > > > > Traceback (most recent call last):
> > > > > > File "/usr/local/bin/suricata-update", line 33, in <module>
> > > > > > sys.exit(main.main())
> > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/main.py", line 1454, in main
> > > > > > sys.exit(_main())
> > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/main.py", line 1196, in _main
> > > > > > config.init(args)
> > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/config.py", line 202, in init
> > > > > > build_info = suricata.update.engine.get_build_info(_config["suricata"])
> > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/engine.py", line 39, in get_build_info
> > > > > > build_info_output = subprocess.check_output([suricata, "--build-info"])
> > > > > > File "/usr/lib/python2.7/subprocess.py", line 212, in check_output
> > > > > > process = Popen(stdout=PIPE, *popenargs, **kwargs)
> > > > > > File "/usr/lib/python2.7/subprocess.py", line 390, in init
> > > > > > errread, errwrite)
> > > > > > File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
> > > > > > raise child_exception
> > > > > > OSError: [Errno 13] Permission denied
> > > > >
> > > > > The path you're trying to specify is inaccessible to the user running
> > > > > suricata-update. Please check the permissions and the owner of the
> > > > > directory. It is usually a good practice to make a suricata group,
> > > > > give correct permissions to that and add the user to suricata group.
> > > > > You can find more about it here:
> > > > > https://suricata-update.readthedocs.io/en/latest/quickstart.html#directories-and-permissions
> > > > >
> > > > > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > > > > Sent with ProtonMail Secure Email.
> > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > > On Monday, January 21, 2019 10:22 AM, Jason Ish ish at unx.ca wrote:
> > > > > >
> > > > > > > On 2019-01-19 3:44 p.m., 419telegraph298 at protonmail.com wrote:
> > > > > > >
> > > > > > > > Hey everyone,
> > > > > > > > I recently installed Suricata on a Raspberry Pi 3 using the Briar IDS
> > > > > > > >
> > > > > > > > -   https://github.com/musicmancorley/BriarIDS
> > > > > > > >     I then attempted to install Suricata-Update, however, and am running
> > > > > > > >     into issues, I suspect because Briar installed suricata-4.0.4 in
> > > > > > > >     /usr/local/src but auto-update is in /var/lib/suricata. Suricata stops
> > > > > > > >     running every day instead of updating, and I have to relaunch the
> > > > > > > >     program manually. It does not have any issues collecting traffic when I
> > > > > > > >     relaunch.
> > > > > > > >     It fails to locate the binary for Suricata and gives me the error "No
> > > > > > > >     distribution rule directory found" but has been able to update my
> > > > > > > >     rulesets in */usr/local/src/suricata-4.0.4/rules. *Do I need to move my
> > > > > > > >     config file?
> > > > > > > >
> > > > > > >
> > > > > > > This will happen if suricata-update and suricata are installed
> > > > > > > separately of each other and have different prefixes. Your best bet is
> > > > > > > to tell suricata-update where your suricata is:
> > > > > > > suricata-update --suricata /path/to/suricata
> > > > > > > As for Suricata stopping. It doesn't look like you have suricata-update
> > > > > > > setup to trigger suricata, so maybe the memory issue the other user
> > > > > > > posted could be the cause?
> > > > > > > Jason
> > > > > > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > > > > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > > > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > > Conference: https://suricon.net
> > > > > > > Trainings: https://suricata-ids.org/training/
> > > > > >
> > > > > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > > > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > Conference: https://suricon.net
> > > > > > Trainings: https://suricata-ids.org/training/
> > > > >
> > > > > --
> > > > > Shivani
> > > > > https://about.me/shivani.bhardwaj
> > >
> > > --
> > > Shivani
> > > https://about.me/shivani.bhardwaj
> >
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list