Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install ja3 module into Bro as part of the Rita installer. #384

Merged
merged 3 commits into from Feb 19, 2019

Conversation

Projects
None yet
4 participants
@william-stearns
Copy link
Contributor

william-stearns commented Feb 17, 2019

#638

@meljbruno

This comment has been minimized.

Copy link
Collaborator

meljbruno commented Feb 18, 2019

When I try to run install.sh I get the following error: ./install.sh: line 221: syntax error near unexpected token fi'`

meljbruno and others added some commits Feb 18, 2019

Minor syntax change to Melissa's fix
The square brackets (aka "test") aren't needed; we're using the return code from grep directly.
@ethack

ethack approved these changes Feb 19, 2019

@ethack ethack merged commit ce1b902 into master Feb 19, 2019

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@ethack ethack deleted the wls_add_ja3_to_bro branch Feb 19, 2019

@Snarfamundo

This comment has been minimized.

Copy link

Snarfamundo commented Feb 26, 2019

Hi,
When updating RITA from 1.1.1 to 2.0.0 I get an error when I run the new install.sh.

sudo ./install.sh
[sudo] password for #######:
[!] RITA is already installed.
[?] Would you like to re-install? [y/N] Y

_ \ _ _| __ __|
/ | | _
|\ ___| _| _/ _\ v2.0.0
Brought to you by Active CounterMeasures

[-] In order to run the installer, several basic packages must be installed.
[-] Updating packages... SUCCESS
[-] Ensuring curl is installed... SUCCESS
[-] Ensuring coreutils is installed... SUCCESS
[-] Ensuring lsb-release is installed... SUCCESS
[-] Ensuring yum-utils is installed... SUCCESS
[-] This installer will:
[-] Bro IDS is already installed
curl: (23) Failed writing body (0 != 55)
[!] Installation FAILED on line 226.

The block of code it errors on checks the folder $local_path/ja3 which is empty in my current standard install RITA 1.1.1

for one_file in __load__.bro intel_ja3.bro ja3.bro ja3s.bro ; do
	if [ ! -e $local_path/ja3/$one_file ]; then
		curl -sSL "https://raw.githubusercontent.com/salesforce/ja3/master/bro//$one_file" -o "$local_file/ja3/$one_file"
	fi
done

If the BRO module ja3 is now a requirement for RITA the install script should check for it and install it if it is missing.

Additionally the article on updating RITA needs to be amended with any additional steps which are now required as it currently states that "You can also use the install.sh installer to update between versions."

https://github.com/activecm/rita/blob/master/docs/Upgrading.md

@ethack

This comment has been minimized.

Copy link
Collaborator

ethack commented Feb 26, 2019

@Snarfamundo Thank you for the report!

I apologize, we usually include the correct install.sh file on the release page but didn't this time as an oversight. I've uploaded it now so you can use that version of the install script to perform your upgrade.

To explain a little about your error, the ja3 module will be used in RITA v3 which is not yet released. The lines you posted are meant to do exactly what you suggest: check for ja3 and install it if it's missing. But there is a bug in that code and we're so glad you reported it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.