search

brimdata / build-suricata

Build Suricata for packaging with Brim
8 stars 2 forks source link

Make win suricataupdater BRIM_SURICATA_USER_DIR-aware #57

Closed henridf closed 3 years ago

henridf commented 3 years ago

@philrz just verified this on windows, both with and without the BRIM_SURICATA_USER_DIR in the process' environment.

philrz commented 3 years ago

Verified using the v5.0.3-brimpre2 Suricata artifact.

FYI, unpacking the artifact and running suricataupdater.exe out of the gate, I did still get the "Last download less than 15 minutes ago. Not downloading..." message. We talked about this 1-on-1 and I think we agreed this is unsurprising since the unzip from Explorer resulted in all the timestamps to be of current wall clock time. However, I then waited 20 minutes and then when I ran it I got a more encouraging "Remote checksum has not changed. Not fetching." Based on that, I'm expecting if I'd waited long enough for the next Emerging Threats set to be published, I'd get that as an update here.

Thanks @henridf!

philrz commented 3 years ago

Oh, and more importantly, I've also verified with the draft Brim artifact rc-v0.21.0-suricatav5.0.3-brimpre2 that this update happens out-of-the-gate. That is, I installed the app via the Brim-Setup.exe and the app launched immediately as usual. I could see the update in the zqd-core.log (\r\n substitutions have been done for readability):

{"level":"info","ts":1606948951.7992604,"msg":"Suricata updater stdout","stdout":"2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\update.yaml
2/12/2020 -- 22:42:27 - <Info> -- Found Suricata version 5.0.3 at C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\bin\\suricata.exe.
2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\brim-conf.yaml
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol modbus
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol dnp3
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol enip
2/12/2020 -- 22:42:27 - <Info> -- No sources configured, will use Emerging Threats Open
2/12/2020 -- 22:42:27 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
2/12/2020 -- 22:42:28 - <Info> -- Done.
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\app-layer-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\decoder-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dhcp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dnp3-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dns-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\files.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\http-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ipsec-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\kerberos-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\modbus-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\nfs-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ntp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smb-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smtp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\stream-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\tls-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Ignoring file rules/emerging-deleted.rules
2/12/2020 -- 22:42:31 - <Info> -- Loaded 28634 rules.
2/12/2020 -- 22:42:31 - <Info> -- Disabled 14 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Modified 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Dropped 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 145 rules for flowbit dependencies.
2/12/2020 -- 22:42:31 - <Info> -- Creating directory C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules.
2/12/2020 -- 22:42:31 - <Info> -- Backing up current rules.
2/12/2020 -- 22:42:31 - <Info> -- Writing rules to C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\suricata.rules: total: 28634; enabled: 21244; added: 28634; removed 0; modified: 0
2/12/2020 -- 22:42:31 - <Info> -- Writing C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\classification.config
2/12/2020 -- 22:42:31 - <Info> -- Skipping test, disabled by configuration.
2/12/2020 -- 22:42:31 - <Info> -- Done.
"}

As you can see, there was no refusal to download due to timestamps, checksums, etc., which is precisely what we'd hope for, since if the Brim package the user is installing is several days old, the Emerging Threats rules it got packaged with are already too old, so it's great to know they'll get current alerts out-of-the-gate.

philrz commented 3 years ago

And as one more form of verification, I can also testify that with that Brim artifact, the rules in question are ending up below a directory %APPDATA%\Brim\suricata. Part of what tipped us off to this original issue is that we were seeing the suricata directory being created under the usual Electron "user data" path on macOS/Linux, but not on Windows. Now with the benefit of this fix, right after that initial launch that triggers the Suricata update, we have:

C:\Program Files (x86)\Google\Cloud SDK>dir /s %APPDATA%\Brim\suricata
 Volume in drive C has no label.
 Volume Serial Number is FA0C-5C0F

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM    <DIR>          rules
12/02/2020  10:55 PM    <DIR>          update
12/02/2020  10:55 PM               176 update.yaml
               1 File(s)            176 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\rules

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM             3,250 classification.config
12/02/2020  10:55 PM        16,024,995 suricata.rules
               2 File(s)     16,028,245 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM    <DIR>          cache
               0 File(s)              0 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update\cache

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM         2,827,063 70d9eddbf429eafe2b741e615a00a74a-emerging.rules.tar.gz
               1 File(s)      2,827,063 bytes

     Total Files Listed:
               4 File(s)     18,855,484 bytes
              11 Dir(s)  30,895,759,360 bytes free