Skip to content

Commit b467cfe

Browse files
doomedravendoomedraven
authored
suricata fixes. Socket mode deprecated since Suricata 8 (#2652)
1 parent f741105 commit b467cfe

File tree

2 files changed

+47
-49
lines changed

2 files changed

+47
-49
lines changed

conf/default/processing.conf.default

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -153,14 +153,11 @@ do_file_lookup = yes
153153
do_url_lookup = yes
154154
urlscrub = (^http:\/\/serw\.clicksor\.com\/redir\.php\?url=|&InjectedParam=.+$)
155155

156+
# Since Suricata 8, socket mode is deprecated.
156157
[suricata]
157-
# Notes on getting this to work check install_suricata function:
158-
# https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh
159-
160-
enabled = yes
161-
#Runmode "cli" or "socket"
162-
runmode = socket
163-
#Outputfiles
158+
enabled = no
159+
runmode = cli
160+
# Outputfiles
164161
# if evelog is specified, it will be used instead of the per-protocol log files
165162
evelog = eve.json
166163

@@ -176,13 +173,14 @@ fileslog = files-json.log
176173
filesdir = files
177174
# Amount of text to carve from plaintext files (bytes)
178175
buffer = 8192
179-
#Used for creating an archive of extracted files
176+
#Used for creating an archive of extracted files
180177
7zbin = /usr/bin/7z
181178
zippass = infected
182-
##Runmode "cli" options
179+
# Runmode "cli" options
183180
bin = /usr/bin/suricata
184181
conf = /etc/suricata/suricata.yaml
185-
##Runmode "socket" Options
182+
183+
# Runmode "socket" Options. Deprecated since Suricata 8.
186184
socket_file = /tmp/suricata-command.socket
187185

188186
# Community

installer/cape2.sh

Lines changed: 39 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -691,64 +691,64 @@ EOL
691691
function install_suricata() {
692692
echo '[+] Installing Suricata'
693693
sudo add-apt-repository -y ppa:oisf/suricata-stable
694-
sudo apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install -y suricata suricata-update
694+
sudo apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install -y suricata
695695
touch /etc/suricata/threshold.config
696696

697697
# Download etupdate to update Emerging Threats Open IDS rules:
698698
mkdir -p "/etc/suricata/rules"
699699
if ! crontab -l | grep -q -F '15 * * * * /usr/bin/suricata-update'; then
700-
crontab -l | { cat; echo "15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null"; } | crontab -
700+
crontab -l | { cat; echo "15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ &>/dev/null"; } | crontab -
701701
fi
702702
if [ -d /usr/share/suricata/rules/ ]; then
703-
# copy files if rules folder contains files
703+
# copy files if rules folder contains files
704704
if [ "$(ls -A /var/lib/suricata/rules/)" ]; then
705705
cp "/usr/share/suricata/rules/"* "/etc/suricata/rules/"
706706
fi
707707
fi
708708
if [ -d /var/lib/suricata/rules/ ]; then
709-
# copy files if rules folder contains files
709+
# copy files if rules folder contains files
710710
if [ "$(ls -A /var/lib/suricata/rules/)" ]; then
711711
cp "/var/lib/suricata/rules/"* "/etc/suricata/rules/"
712712
fi
713713
fi
714714

715-
# ToDo this is not the best solution but i don't have time now to investigate proper one
716-
sed -i 's|CapabilityBoundingSet=CAP_NET_ADMIN|#CapabilityBoundingSet=CAP_NET_ADMIN|g' /lib/systemd/system/suricata.service
717-
systemctl daemon-reload
715+
cat > /etc/suricata/cape.yaml <<EOF
716+
%YAML 1.1
717+
---
718+
719+
default-rule-path: /etc/suricata/rules
720+
rule-files: suricata.rules
721+
mpm-algo: hs
722+
stream.reassembly.depth: 0
723+
stream.checksum-validation: none
724+
netmap.checksum-checks: no
725+
pcap-file.checksum-checks: no
726+
app-layer.protocols.http.libhtp.default-config.request-body-limit: 0
727+
app-layer.protocols.http.libhtp.default-config.response-body-limit: 0
728+
app-layer.protocols.tls.ja3-fingerprints: yes
729+
730+
vars.address-groups.EXTERNAL_NET: "ANY"
731+
# pid-file: /run/suricata.pid
732+
# https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/5
733+
security.limit-noproc: false
734+
735+
outputs.1.eve-log.enabled: yes
736+
file-store.enabled: yes
737+
EOF
718738

719-
#change suricata yaml
720-
sed -i 's|#default-rule-path: /etc/suricata/rules|default-rule-path: /etc/suricata/rules|g' /etc/default/suricata
721-
sed -i 's|default-rule-path: /var/lib/suricata/rules|default-rule-path: /etc/suricata/rules|g' /etc/suricata/suricata.yaml
722-
sed -i 's/#rule-files:/rule-files:/g' /etc/suricata/suricata.yaml
723-
sed -i 's/# - suricata.rules/ - suricata.rules/g' /etc/suricata/suricata.yaml
724-
sed -i 's/RUN=yes/RUN=no/g' /etc/default/suricata
725-
sed -i 's/mpm-algo: ac/mpm-algo: hs/g' /etc/suricata/suricata.yaml
726-
sed -i 's/mpm-algo: auto/mpm-algo: hs/g' /etc/suricata/suricata.yaml
727-
sed -i 's/#run-as:/run-as:/g' /etc/suricata/suricata.yaml
728-
sed -i "s/# user: suri/ user: ${USER}/g" /etc/suricata/suricata.yaml
729-
sed -i "s/# group: suri/ group: ${USER}/g" /etc/suricata/suricata.yaml
730-
sed -i 's/ depth: 1mb/ depth: 0/g' /etc/suricata/suricata.yaml
731-
sed -i 's/request-body-limit: 100kb/request-body-limit: 0/g' /etc/suricata/suricata.yaml
732-
sed -i 's/response-body-limit: 100kb/response-body-limit: 0/g' /etc/suricata/suricata.yaml
733-
sed -i 's/EXTERNAL_NET: "!$HOME_NET"/EXTERNAL_NET: "ANY"/g' /etc/suricata/suricata.yaml
734-
sed -i 's|#pid-file: /var/run/suricata.pid|pid-file: /tmp/suricata.pid|g' /etc/suricata/suricata.yaml
735-
sed -i 's|#ja3-fingerprints: auto|ja3-fingerprints: yes|g' /etc/suricata/suricata.yaml
736-
#-k none
737-
sed -i 's/#checksum-validation: none/checksum-validation: none/g' /etc/suricata/suricata.yaml
738-
sed -i 's/checksum-checks: auto/checksum-checks: no/g' /etc/suricata/suricata.yaml
739-
740-
# https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/5
741-
sed -i 's|limit-noproc: true|limit-noproc: false|g' /etc/suricata/suricata.yaml
742-
743-
# enable eve-log
744-
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'eve-log:\n enabled: no\n', b'eve-log:\n enabled: yes\n');open(pa, 'wb').write(q);"
745-
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'unix-command:\n enabled: auto\n #filename: custom.socket', b'unix-command:\n enabled: yes\n filename: /tmp/suricata-command.socket');open(pa, 'wb').write(q);"
746-
# file-store
747-
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'file-store:\n version: 2\n enabled: no', b'file-store:\n version: 2\n enabled: yes');open(pa, 'wb').write(q);"
748-
749-
chown ${USER}:${USER} -R /etc/suricata
750-
chown ${USER}:${USER} -R /var/log/suricata
739+
sed -i '$a include:\n - cape.yaml\n' /etc/suricata/suricata.yaml
740+
usermod -aG pcap suricata
741+
usermod -aG suricata "${USER}"
742+
# sudo chmod -R g+w /var/log/suricata/
743+
# sudo chmod -R g+w /var/run/suricata/
744+
# sudo chmod -R g+w /etc/suricata
751745
systemctl restart suricata
746+
747+
# How to verify config options
748+
# suricata --dump-config
749+
# sudo suricata -T -c /etc/suricata/suricata.yaml
750+
# echo "Important: For this change to take effect, you must log out and then log back in, or open a new shell with newgrp suricata."
751+
752752
}
753753

754754
function install_yara_x() {

0 commit comments

Comments
 (0)