search

brimdata / build-suricata

Build Suricata for packaging with Brim
8 stars 2 forks source link

Solus Linux failures #61

Open philrz opened 3 years ago

philrz commented 3 years ago

A community user reported:

Hi, I need some help with suricata and brim. Looks like its not working on my installation I'm on Solus Linux and had to copy a magic.mgc to /usr/share/file/ and /usr/share/misc/magic.mgc from ubuntu system to make it work I thing this could be the problem Because without this magic.mgc file: image can those magic files be part of the app instead ?

Indeed, it looks like we take this approach of bundling the magic file on macOS bundling today, so I expect we could do the same thing in Linux now that we know there's some distros that lack the file in the common location.

In addition to the magic file, additional testing has also revealed a problem with SSL certs, as attempts to run the suricataupdater on Solus failed to download the Emerging Threats rule set due to error SSL: CERTIFICATE_VERIFY_FAILED. We'd seen the same on CentOS, and to address that we added the following to the suricataupdater script:

ca_path="$(openssl version -d | cut -d ' ' -f 2)"
ca_path="${ca_path//\"}"

SSL_CERT_FILE="$ca_path/cert.pem" ...

However, on Solus Linux, that cert.pem file is not present in that location and my web searches did not turn up any hits on Solus Linux packages that include it. The problem seems to be specific to how Suricata Update works, though, because tools like curl and wget on Solus have no problem downloading the rules from the same URL that's failing with Suricata update.

We confirmed that we could make it work by manually copying over a cert.pem from a CentOS system, and a community user was able to make it work by pointing at a specific cert:

SSL_CERT_FILE=/etc/ssl/certs/DigiCert_Global_Root_CA.pem ./usr/lib/brim/resources/app/zdeps/suricata/bin/suricata-update

Finally, if we make this all smooth, then there'd still be the higher-level question of a Brim installer that works on Solus, as the package formats we currently create like .deb and .rpm are not supported. The community user that reported this issue was working around that problem by manually unpacking the .deb:

Download the .deb file; Unpack the .deb file with ar x brim_amd64.deb, which usually has data.tar.xz, control.tar.xz and debian-binary (text file with package containing a number / version). All I need is to extract data.tar.xz and run brim from the current usr/bin folder

As we went on to discuss, one of the approaches described in https://github.com/brimsec/brim/issues/685 might be the way to go.

philrz commented 3 years ago

The fix in #62 is expected to help with the "magic" portion of this, but the problems with the SSL cert and package formats are still assumed to be present.