[Oisf-users] Configuring Suricata Auto Update with Briar IDS

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Thu Jan 31 06:47:05 UTC 2019


ok I'll go forward with a fresh install


Sent from ProtonMail, encrypted email based in Switzerland.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 26, 2019 12:12 PM, <419telegraph298 at protonmail.com> wrote:

> Greetings all,
>
> https://suricata-update.readthedocs.io/en/latest/quickstart.html#configure-suricata-to-load-suricata-update-managed-rules
>
> In accordance with the Suricata auto update instructions I created a new group "suricata" w/ a user "dave" for the following directories:
>
> /var/lib/suricata
> drwxrwxrw- 2 dave suricata 4096 Jan 19 18:55 rules
> drwxrwxrwx 3 dave suricata 4096 Jan 19 18:53 update
>
> my default directory for suricata is not /etc/suricata, but /usr/local/src
>
> drwxr-xr-x 13 dave suricata 4096 Jan 26 02:01 suricata-4.0.4
>
> (I'm still a noobie when it comes to Linux group permissions so I may be doing something very wrong)
>
> I still ran into the issue of Suricata ceasing to function after a certain point after restarting:
>
> -rw-r--r-- 1 root root 0 Jan 26 06:25 eve.json
> -rw-r--r-- 1 root root 0 Jan 26 06:25 suricata.log
> -rw-r--r-- 1 root root 0 Jan 26 06:25 stats.log
> -rw-r--r-- 1 root root 0 Jan 26 06:25 http.log
> -rw-r--r-- 1 root root 0 Jan 26 06:25 fast.log
> -rw-r--r-- 1 root root 1901920 Jan 26 06:25 eve.json-20190126.gz
> -rw-r--r-- 1 root root 196375 Jan 26 06:25 stats.log-20190126.gz
> -rw-r--r-- 1 root root 353 Jan 26 04:47 fast.log-20190126.gz
>
> Would the best step at this point be to reinstall Suricata without Briar IDS so that I have the latest Suricata version? Currently Briar installs 4.0.4.
>
> Thank you,
> Paul
>
> Sent from ProtonMail, encrypted email based in Switzerland.
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, January 25, 2019 9:05 PM, 419telegraph298 at protonmail.com wrote:
>
> > When I first launch Suricata via Briar IDS it displays that Suricata-M+ is using 100% of CPU and it always displays two separate instances via top w/ PID 1032 and 1179
> > Sent from ProtonMail, encrypted email based in Switzerland.
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Friday, January 25, 2019 4:44 PM, 419telegraph298 at protonmail.com wrote:
> >
> > > Dear Shivani,
> > > Thank you very much for your assistance - when I tried auto-update again I SSHed into the pi through a different terminal and checked processes, it does indeed crowd out the CPU, reaching almost 100%:
> > > 26133 root 20 0 112448 108524 6768 R 99.7 11.4 0:06.69 suricata-update
> > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > Sent with ProtonMail Secure Email.
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Friday, January 25, 2019 12:25 AM, Shivani Bhardwaj shivanib134 at gmail.com wrote:
> > >
> > > > On Fri, Jan 25, 2019 at 10:16 AM 419telegraph298 at protonmail.com wrote:
> > > >
> > > > > Hi - did you have something to add?
> > > >
> > > > I don't think I have anything to add for the file permission issue. If
> > > > you see it happening despite the correct permissions, please let us
> > > > know.
> > > > About the OOM errors you're facing, we're currently investigating that
> > > > and it is being tracked here:
> > > > https://redmine.openinfosecfoundation.org/issues/2791
> > > > Thanks for reporting this.
> > > >
> > > > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > > > Sent with ProtonMail Secure Email.
> > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > On Wednesday, January 23, 2019 12:56 AM, Shivani Bhardwaj shivanib134 at gmail.com wrote:
> > > > >
> > > > > > Hello!
> > > > > > On Wed, Jan 23, 2019 at 6:06 AM 419telegraph298 at protonmail.com wrote:
> > > > > >
> > > > > > > Thanks Jason, I tried to change the path as you specified and got this:
> > > > > > > Traceback (most recent call last):
> > > > > > > File "/usr/local/bin/suricata-update", line 33, in <module>
> > > > > > > sys.exit(main.main())
> > > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/main.py", line 1454, in main
> > > > > > > sys.exit(_main())
> > > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/main.py", line 1196, in _main
> > > > > > > config.init(args)
> > > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/config.py", line 202, in init
> > > > > > > build_info = suricata.update.engine.get_build_info(_config["suricata"])
> > > > > > > File "/usr/local/lib/python2.7/dist-packages/suricata/update/engine.py", line 39, in get_build_info
> > > > > > > build_info_output = subprocess.check_output([suricata, "--build-info"])
> > > > > > > File "/usr/lib/python2.7/subprocess.py", line 212, in check_output
> > > > > > > process = Popen(stdout=PIPE, *popenargs, **kwargs)
> > > > > > > File "/usr/lib/python2.7/subprocess.py", line 390, in init
> > > > > > > errread, errwrite)
> > > > > > > File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
> > > > > > > raise child_exception
> > > > > > > OSError: [Errno 13] Permission denied
> > > > > >
> > > > > > The path you're trying to specify is inaccessible to the user running
> > > > > > suricata-update. Please check the permissions and the owner of the
> > > > > > directory. It is usually a good practice to make a suricata group,
> > > > > > give correct permissions to that and add the user to suricata group.
> > > > > > You can find more about it here:
> > > > > > https://suricata-update.readthedocs.io/en/latest/quickstart.html#directories-and-permissions
> > > > > >
> > > > > > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > > > On Monday, January 21, 2019 10:22 AM, Jason Ish ish at unx.ca wrote:
> > > > > > >
> > > > > > > > On 2019-01-19 3:44 p.m., 419telegraph298 at protonmail.com wrote:
> > > > > > > >
> > > > > > > > > Hey everyone,
> > > > > > > > > I recently installed Suricata on a Raspberry Pi 3 using the Briar IDS
> > > > > > > > >
> > > > > > > > > -   https://github.com/musicmancorley/BriarIDS
> > > > > > > > >     I then attempted to install Suricata-Update, however, and am running
> > > > > > > > >     into issues, I suspect because Briar installed suricata-4.0.4 in
> > > > > > > > >     /usr/local/src but auto-update is in /var/lib/suricata. Suricata stops
> > > > > > > > >     running every day instead of updating, and I have to relaunch the
> > > > > > > > >     program manually. It does not have any issues collecting traffic when I
> > > > > > > > >     relaunch.
> > > > > > > > >     It fails to locate the binary for Suricata and gives me the error "No
> > > > > > > > >     distribution rule directory found" but has been able to update my
> > > > > > > > >     rulesets in */usr/local/src/suricata-4.0.4/rules. *Do I need to move my
> > > > > > > > >     config file?
> > > > > > > > >
> > > > > > > >
> > > > > > > > This will happen if suricata-update and suricata are installed
> > > > > > > > separately of each other and have different prefixes. Your best bet is
> > > > > > > > to tell suricata-update where your suricata is:
> > > > > > > > suricata-update --suricata /path/to/suricata
> > > > > > > > As for Suricata stopping. It doesn't look like you have suricata-update
> > > > > > > > setup to trigger suricata, so maybe the memory issue the other user
> > > > > > > > posted could be the cause?
> > > > > > > > Jason
> > > > > > > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > > > > > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > > > > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > > > Conference: https://suricon.net
> > > > > > > > Trainings: https://suricata-ids.org/training/
> > > > > > >
> > > > > > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > > > > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > > > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > > Conference: https://suricon.net
> > > > > > > Trainings: https://suricata-ids.org/training/
> > > > > >
> > > > > > --
> > > > > > Shivani
> > > > > > https://about.me/shivani.bhardwaj
> > > >
> > > > --
> > > > Shivani
> > > > https://about.me/shivani.bhardwaj
> > >
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/




More information about the Oisf-users mailing list