Closed henridf closed 3 years ago
Verified using the v5.0.3-brimpre2
Suricata artifact.
FYI, unpacking the artifact and running suricataupdater.exe
out of the gate, I did still get the "Last download less than 15 minutes ago. Not downloading..." message. We talked about this 1-on-1 and I think we agreed this is unsurprising since the unzip from Explorer resulted in all the timestamps to be of current wall clock time. However, I then waited 20 minutes and then when I ran it I got a more encouraging "Remote checksum has not changed. Not fetching." Based on that, I'm expecting if I'd waited long enough for the next Emerging Threats set to be published, I'd get that as an update here.
Thanks @henridf!
Oh, and more importantly, I've also verified with the draft Brim artifact rc-v0.21.0-suricatav5.0.3-brimpre2
that this update happens out-of-the-gate. That is, I installed the app via the Brim-Setup.exe
and the app launched immediately as usual. I could see the update in the zqd-core.log
(\r\n
substitutions have been done for readability):
{"level":"info","ts":1606948951.7992604,"msg":"Suricata updater stdout","stdout":"2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\update.yaml
2/12/2020 -- 22:42:27 - <Info> -- Found Suricata version 5.0.3 at C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\bin\\suricata.exe.
2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\brim-conf.yaml
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol modbus
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol dnp3
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol enip
2/12/2020 -- 22:42:27 - <Info> -- No sources configured, will use Emerging Threats Open
2/12/2020 -- 22:42:27 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
2/12/2020 -- 22:42:28 - <Info> -- Done.
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\app-layer-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\decoder-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dhcp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dnp3-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dns-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\files.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\http-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ipsec-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\kerberos-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\modbus-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\nfs-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ntp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smb-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smtp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\stream-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\tls-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Ignoring file rules/emerging-deleted.rules
2/12/2020 -- 22:42:31 - <Info> -- Loaded 28634 rules.
2/12/2020 -- 22:42:31 - <Info> -- Disabled 14 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Modified 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Dropped 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 145 rules for flowbit dependencies.
2/12/2020 -- 22:42:31 - <Info> -- Creating directory C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules.
2/12/2020 -- 22:42:31 - <Info> -- Backing up current rules.
2/12/2020 -- 22:42:31 - <Info> -- Writing rules to C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\suricata.rules: total: 28634; enabled: 21244; added: 28634; removed 0; modified: 0
2/12/2020 -- 22:42:31 - <Info> -- Writing C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\classification.config
2/12/2020 -- 22:42:31 - <Info> -- Skipping test, disabled by configuration.
2/12/2020 -- 22:42:31 - <Info> -- Done.
"}
As you can see, there was no refusal to download due to timestamps, checksums, etc., which is precisely what we'd hope for, since if the Brim package the user is installing is several days old, the Emerging Threats rules it got packaged with are already too old, so it's great to know they'll get current alerts out-of-the-gate.
And as one more form of verification, I can also testify that with that Brim artifact, the rules in question are ending up below a directory %APPDATA%\Brim\suricata
. Part of what tipped us off to this original issue is that we were seeing the suricata
directory being created under the usual Electron "user data" path on macOS/Linux, but not on Windows. Now with the benefit of this fix, right after that initial launch that triggers the Suricata update, we have:
C:\Program Files (x86)\Google\Cloud SDK>dir /s %APPDATA%\Brim\suricata
Volume in drive C has no label.
Volume Serial Number is FA0C-5C0F
Directory of C:\Users\phil\AppData\Roaming\Brim\suricata
12/02/2020 10:55 PM <DIR> .
12/02/2020 10:55 PM <DIR> ..
12/02/2020 10:55 PM <DIR> rules
12/02/2020 10:55 PM <DIR> update
12/02/2020 10:55 PM 176 update.yaml
1 File(s) 176 bytes
Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\rules
12/02/2020 10:55 PM <DIR> .
12/02/2020 10:55 PM <DIR> ..
12/02/2020 10:55 PM 3,250 classification.config
12/02/2020 10:55 PM 16,024,995 suricata.rules
2 File(s) 16,028,245 bytes
Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update
12/02/2020 10:55 PM <DIR> .
12/02/2020 10:55 PM <DIR> ..
12/02/2020 10:55 PM <DIR> cache
0 File(s) 0 bytes
Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update\cache
12/02/2020 10:55 PM <DIR> .
12/02/2020 10:55 PM <DIR> ..
12/02/2020 10:55 PM 2,827,063 70d9eddbf429eafe2b741e615a00a74a-emerging.rules.tar.gz
1 File(s) 2,827,063 bytes
Total Files Listed:
4 File(s) 18,855,484 bytes
11 Dir(s) 30,895,759,360 bytes free
@philrz just verified this on windows, both with and without the
BRIM_SURICATA_USER_DIR
in the process' environment.