search

alphasoc / nfr

A lightweight tool to score network traffic and flag anomalies
https://alphasoc.com
Other
122 stars 19 forks source link

gh actions transition - dynamic linking #84

Closed kmroz closed 3 years ago

kmroz commented 3 years ago 
build-test-vet ----->    build-centos-7   -----> release-artifacts
                         build-centos-8
                         build-debian

Since we're dynamically linking different version of libpcap, I had to create different jobs as below:

build-centos[7,8], build-debian trigger goreleaser, but only to build the required packages/tarballs and sign them. These are then uploaded to github's action scratch space.

release-artifacts gathers the artifacts generated from above, and triggers a goreleaser release whose only mission is to generate a changelog, trigger the draft release, uploading the artifacts generated above.

NOTE: build-centos-7 is currently disabled due to gpg package version issues. Investigating.

kmroz commented 3 years ago 
1. Let's drop `8` from the centos filename template, as the package works with centos7 as well
2. The current goreleaser config puts the `nfr` binary in `/usr/local/bin` which introduces a breaking change as the previous .deb releases placed it in `/usr/bin`. As I understand it's an easy fix by adjusting the `nfpms.bindir` variable to `/usr/bin`.

Done. Updated PR pushed. Quick test performed on a debian10 vm. Sample release at: https://github.com/mrozitron/nfr/releases/tag/v3.0.5

tg commented 3 years ago

It's worth testing the binary on both centos 7 and 8 as I remember having libpcap issues before.

kmroz commented 3 years ago

It's worth testing the binary on both centos 7 and 8 as I remember having libpcap issues before.

I'll spool up centos vm's and give it a run again.

kmroz commented 3 years ago

It's worth testing the binary on both centos 7 and 8 as I remember having libpcap issues before.

I'll spool up centos vm's and give it a run again.

LGTM.

CentOS 7

$ uname -r
3.10.0-1160.31.1.el7.x86_64
$ which nfr
/usr/bin/nfr
$ ldd $(which nfr)
    linux-vdso.so.1 =>  (0x00007ffd411e6000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fef39623000)
    libpcap.so.1 => /lib64/libpcap.so.1 (0x00007fef393e2000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fef39014000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fef3983f000)
$ nfr -h
Network Flight Recorder (NFR) is an application which captures network traffic
and provides deep analysis and alerting of suspicious events, identifying gaps
in your security controls, highlighting targeted attacks and policy violations.

Usage:
  nfr [command]

Available Commands:
  account     Manage AlphaSOC account
  help        Help about any command
  read        Process network events stored on disk in known formats
  start       Start processing network events (inputs defined in config)
  version     Show the NFR binary version

Flags:
  -c, --config string   Config path for nfr (default "/etc/nfr/config.yml")
  -h, --help            help for nfr

Use "nfr [command] --help" for more information about a command.

CentOS 8

$ uname -r
4.18.0-305.10.2.el8_4.x86_64
$ which nfr
/usr/bin/nfr
$ ldd $(which nfr)
    linux-vdso.so.1 (0x00007ffd68180000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa357809000)
    libpcap.so.1 => /lib64/libpcap.so.1 (0x00007fa3575be000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fa3571f9000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fa357a29000)
    libibverbs.so.1 => /lib64/libibverbs.so.1 (0x00007fa356fda000)
    libnl-route-3.so.200 => /lib64/libnl-route-3.so.200 (0x00007fa356d54000)
    libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007fa356b31000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fa35692d000)
$ nfr -h
Network Flight Recorder (NFR) is an application which captures network traffic
and provides deep analysis and alerting of suspicious events, identifying gaps
in your security controls, highlighting targeted attacks and policy violations.

Usage:
  nfr [command]

Available Commands:
  account     Manage AlphaSOC account
  help        Help about any command
  read        Process network events stored on disk in known formats
  start       Start processing network events (inputs defined in config)
  version     Show the NFR binary version

Flags:
  -c, --config string   Config path for nfr (default "/etc/nfr/config.yml")
  -h, --help            help for nfr

Use "nfr [command] --help" for more information about a command.

Will add a Windows build and re-push to this PR.

kmroz commented 3 years ago

https://github.com/mrozitron/nfr/releases/tag/v3.0.8 -> windows archives as part of release.