search

StamusNetworks / scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
GNU General Public License v3.0
624 stars 149 forks source link

Suricata won't restart after build & push ruleset #291

Open woundride opened 1 year ago

woundride commented 1 year ago

I've updated Scirius container on 2023/07/24

From update, when I build & push ruleset, Suricata won't restart :

suricata_won_t_restart

To mitigate and apply ruleset immediately, I restart container :

selks-user@selks:~$ sudo docker restart suricata

pevma commented 1 year ago

Thank you for posting the report. I could not reproduce the issue. It is possible that it can take a bit of time for the ruelset reload to complete. What happens is , we start a ruelset reload via suricata native unix socket command and then it is triggered and goes through a regular reloading process.

But can you tail the actual suricata log and see if the update is going through:

tail -F  containers-data/suricata/logs/suricata.log

and then do the update rulesets (select all actions please- fetch,build, push).

woundride commented 1 year ago

Thanks for your reply @pevma

Update is OK, I've verified in scirius.rules file in the container and my new rules have been added :

rules_ok

But, the file is not updated in conainers-data directory, strange 🤔 :

image

When I try tail -f on containers-data/suricata/logs/suricata.log, no news logs :

image

News logs appear only when I restart Suricata container :

image

But files in /opt/selksd/SELKS/docker/containers-data/suricata/etc/rules are always not updated.

pevma commented 1 year ago

Please see https://github.com/StamusNetworks/scirius/issues/290 for proper setup