search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.22k stars 499 forks source link

FIX: Duplicate variable causing Suricata failure #13461

Closed Carlos-mb closed 2 months ago

Carlos-mb commented 2 months ago

If you duplicate a variable and give it a single IP value, it provoques Suricata to crash:

1 - Go to Administration - Configuration

[EDITED: you have to activate Show All Configurable Settings]

go to - Suricata - Config - Vars - address-groups -> External_NET (or any other)

2 - Duplicate it 3- Call it DELETE_ME (or any other) and press "Create Setting" 4- Select de new var (DELETE_ME in my case) 5- Set the "Current Grid Value" to "8.8.8.8" or any other IP, but important: ONLY ONE IP in a single line 6- Press the green tick botton

The good start here:

7- cat /opt/so/saltstack/local/pillar/suricata/soc_suricata.sls.

You will see this: 

suricata:
    config:
        vars:
            address-groups:
                DELETE_ME: 8.8.8.8

8- Restart suricata: sudo so-suricata-restart 9- Check the output, you will see this between many other lines:

[INFO    ] File changed:
---
+    DELETE_ME: '8'

10- Check the logs: docker logs so-suricata

You'll see this:

i: suricata: This is Suricata version 7.0.6 RELEASE running in SYSTEM mode
E: detect: failed to parse address "8"
E: detect: failed to parse address var "DELETE_ME" with value "8". Please check its syntax
E: suricata: basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors

11- Check so-status -> Suricata is missing.

And now.... look at this....

12- Go back to configuration, add a second line with other IP (9.9.9.9, for example) to the grid value. And repeat the steps.

soc_suricata.sls has this content: 

                DELETE_ME:
                    - 8.8.8.8
                    - 9.9.9.9

And the restart process will show this output:

-    DELETE_ME: '8'
+    DELETE_ME: '[8.8.8.8,9.9.9.9]'

and every thing works fine.

13- Go back to configuration, delete the second IP and leave only one, as we did in step 5. You may leave the same value than in step 5.

14- Restart Suricata and every thing will work fine. The sls file content now is:

                DELETE_ME:
                    - 8.8.8.8

And Suricata works again.

One extra question... How can I delete this var? I've not been able to find the option in the UI. I have had to deleted it from soc_suricata.sls

Regards Carlos

dougburks commented 2 months ago

If you duplicate a variable and give it a single IP value, it provoques Suricata to crash:

I've duplicated this behavior and we'll see if we can improve it in the future.

One extra question... How can I delete this var? I've not been able to find the option in the UI. I have had to deleted it from soc_suricata.sls

When you duplicate the variable, there is a warning that says:

Duplicated settings cannot be removed or renamed via the SOC user interface.

image

Carlos-mb commented 2 months ago

When you duplicate the variable, there is a warning that says:

Duplicated settings cannot be removed or renamed via the SOC user interface.

oops, sorry.

Thanks for the info.