search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.49k stars 285 forks source link

Starting suricata with another options (-r and trafr) #103

Open berekese opened 6 years ago

berekese commented 6 years ago

Hi, recently I updated server and if I try to start suricata with script is working fine but I use Mikrotik to send all trafic to IDS and I need use a alternative line to start daemon, such as:

trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -v -r /dev/stdin

Really my main idea is to start daemon using script boot but with "-r /dev/stdin" and trafr. I dont use workers ni listen_mode, only trafr -s | COMMAND but I dont know what values I should change on script. How could I change script boot to start it so?

Thanks.

pevma commented 6 years ago

On Thu, Feb 15, 2018 at 12:10 PM, berekese notifications@github.com wrote:

Hi, recently I updated server and if I try to start suricata with script is working fine but I use Mikrotik to send all trafic to IDS and I need use a alternative line to start daemon, such as:

trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -v --user=logstash -r /dev/stdin I before used "-r -" and it works but since latest update suricata can't accept "-r -". I read here too that now I should use "-r /dev/stdin" but when I do I get this:

trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile

/var/run/suricata.pid -v --user=logstash -r /dev/stdin [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:241) (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'rule-files' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'classification-file' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'detect' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'stats' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'outputs' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'logging' redefined. [2334] 15/2/2018 -- 11:56:23 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'af-packet' redefined. [2334] 15/2/2018 -- 11:56:23 - (suricata.c:1070) (LogVersion) -- This is Suricata version 4.1.0-dev (rev cba41207) [2334] 15/2/2018 -- 11:56:23 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs/cores online: 1 [2334] 15/2/2018 -- 11:56:28 - (detect-engine-loader.c:351) (SigLoadSignatures) -- 1 rule files processed. 22120 rules successfully loaded, 0 rules failed [2334] 15/2/2018 -- 11:56:28 - (util-threshold-config.c:1130) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [2334] 15/2/2018 -- 11:56:28 - (detect-engine-build.c:1398) (SigAddressPrepareStage1) -- 22125 signatures processed. 1150 are IP-only rules, 6506 are inspecting packet payload, 16671 inspect application layer, 0 are decoder event only [2334] 15/2/2018 -- 11:56:28 - (detect-flowbits.c:477) (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs [2334] 15/2/2018 -- 11:56:38 - (util-privs.c:93) (SCDropMainThreadCaps) -- dropped the caps for main thread [2334] 15/2/2018 -- 11:56:38 - (util-logopenfile.c:501) (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log [2334] 15/2/2018 -- 11:56:38 - (util-logopenfile.c:501) (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [2334] 15/2/2018 -- 11:56:38 - (output-json-email-common.c:455) (OutputEmailInitConf) -- Going to log the md5 sum of email body [2334] 15/2/2018 -- 11:56:38 - (output-json-email-common.c:459) (OutputEmailInitConf) -- Going to log the md5 sum of email subject [2334] 15/2/2018 -- 11:56:38 - (output-json-dnp3.c:384) (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized. [2334] 15/2/2018 -- 11:56:38 - (output-tx.c:76) (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled [2334] 15/2/2018 -- 11:56:38 - (output-json-dnp3.c:384) (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized. [2334] 15/2/2018 -- 11:56:38 - (output-tx.c:76) (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled [2334] 15/2/2018 -- 11:56:38 - (util-logopenfile.c:501) (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [2346] 15/2/2018 -- 11:56:38 - (source-pcap-file.c:219) (ReceivePcapFileThreadInit) -- Checking file or directory /dev/stdin [2346] 15/2/2018 -- 11:56:38 - (source-pcap-file-directory-helper.c:214)

(PcapDetermineDirectoryOrFile) -- /dev/stdin: Plain file, not a directory [2346] 15/2/2018 -- 11:56:38 - (source-pcap-file.c:226) (ReceivePcapFileThreadInit) -- Argument /dev/stdin was a file [2346] 15/2/2018 -- 11:56:38 - (source-pcap-file-helper.c:158) (InitPcapFile) -- [ERRCODE: SC_ERR_FOPEN(44)] - /dev/stdin: Permission denied [2346] 15/2/2018 -- 11:56:38 - (source-pcap-file.c:251) (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - Failed to init pcap file /dev/stdin, skipping [2334] 15/2/2018 -- 11:56:38 - (tm-threads.c:2123) (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01" failed to initialize: flags 0145 [2334] 15/2/2018 -- 11:56:38 - (suricata.c:2867) (main) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting... Resume, permission denied. If I try to start without --user=logstash daemon starts but file fast.log doesn't add any event and maybe its because user isn't same. I dont know. Any solution?

Do the other logs populate ? (eve.json etc..)

Any idea to start daemon using script boot but with "-r /dev/stdin" ? I dont use workers ni listen_mode, only trafr -s | COMMAND

Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

-- Regards, Peter Manev

berekese commented 6 years ago

I dont understand very good what you ask me but yes, I have logs on all files (stats, fast, eve...). Now I have stopped script default suricata, when I reboot server I have to start daemon from command line with & to work on background, I was to trying modify your init script to start it with my options but not luck :(

pevma commented 6 years ago

Yes - I mean if other logs populate. Ok - I haven't used it that way but since it is a permission problem if you use it without the logstash you should be good. If fast.log does not populate just make sure you have the permissions to write there (although if you are running as root it should not be an issue). If you need to edit the auto start script you can have a look at /etc/default/suricata and /etc/init.d/suricata

berekese commented 6 years ago

Hi,

Thanks. I tried to do it modifying init script but not luck, but dont worry. For the moment, I disabled default script with chmod -x and after I run my own line and it works fine. I will have a look to modify the script.

elmaxid commented 6 years ago

Hello

I can start suricata at boot with rc.local. I have this:

cat /usr/local/bin/start_suricata /usr/local/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -r /dev/stdin &

cat /etc/rc.local #!/bin/sh -e nohup /usr/local/bin/start_suricata exit 0

Regards

M.

Snegohod commented 5 years ago

Hello Can not start Suricata 4.1.5 to read from stdin

Command: trafr -s | suricata -c /etc/suricata/suricata.yaml -v -r /dev/stdin

Output log:

18/10/2019 -- 14:11:53 - - This is Suricata version 4.1.5 RELEASE 18/10/2019 -- 14:11:53 - - CPUs/cores online: 4 18/10/2019 -- 14:11:53 - - fast output device (regular) initialized: fast.log 18/10/2019 -- 14:11:53 - - eve-log output device (regular) initialized: eve.json 18/10/2019 -- 14:11:53 - - stats output device (regular) initialized: stats.log 18/10/2019 -- 14:11:55 - - 1 rule files processed. 24016 rules successfully loaded, 0 rules failed 18/10/2019 -- 14:11:55 - - Threshold config parsed: 0 rule(s) found 18/10/2019 -- 14:11:55 - - 24020 signatures processed. 1173 are IP-only rules, 5136 are inspecting packet payload, 19651 inspect application layer, 103 are decoder event only 18/10/2019 -- 14:12:00 - - Checking file or directory /dev/stdin 18/10/2019 -- 14:12:00 - - Argument /dev/stdin was a directory 18/10/2019 -- 14:12:00 - - all 5 packet processing threads, 4 management threads initialized, engine started. 18/10/2019 -- 14:12:00 - - Starting directory run for /dev/stdin 18/10/2019 -- 14:12:00 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616 18/10/2019 -- 14:12:00 - - Directory run mode complete 18/10/2019 -- 14:12:00 - - Signal Received. Stopping engine. 18/10/2019 -- 14:12:00 - - time elapsed 0.055s 18/10/2019 -- 14:12:00 - - Pcap-file module read 0 files, 0 packets, 0 bytes 18/10/2019 -- 14:12:00 - - Alerts: 0 18/10/2019 -- 14:12:00 - - cleaning up signature grouping structure... complete

Suricata use file /dev/stdin like as directory. But it is file. Can you help me, please?

pevma commented 4 years ago

Doesn't this suggestion work - https://github.com/StamusNetworks/SELKS/issues/103#issuecomment-434840466 ?