Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make win suricataupdater BRIM_SURICATA_USER_DIR-aware #57

Merged
merged 1 commit into from
Dec 2, 2020
Merged

Make win suricataupdater BRIM_SURICATA_USER_DIR-aware #57

merged 1 commit into from
Dec 2, 2020

Conversation

henridf
Copy link
Contributor

@henridf henridf commented Dec 2, 2020
edited
Loading

@philrz just verified this on windows, both with and without the BRIM_SURICATA_USER_DIR in the process' environment.

@henridf henridf requested a review from philrz December 2, 2020 18:09
@henridf henridf marked this pull request as ready for review December 2, 2020 18:10
@henridf henridf merged commit 84b8847 into master Dec 2, 2020
@henridf henridf deleted the fix-updater-windows branch December 2, 2020 18:23
@henridf henridf mentioned this pull request Dec 2, 2020
Closed
@philrz
Copy link
Contributor

philrz commented Dec 2, 2020

Verified using the v5.0.3-brimpre2 Suricata artifact.

FYI, unpacking the artifact and running suricataupdater.exe out of the gate, I did still get the "Last download less than 15 minutes ago. Not downloading..." message. We talked about this 1-on-1 and I think we agreed this is unsurprising since the unzip from Explorer resulted in all the timestamps to be of current wall clock time. However, I then waited 20 minutes and then when I ran it I got a more encouraging "Remote checksum has not changed. Not fetching." Based on that, I'm expecting if I'd waited long enough for the next Emerging Threats set to be published, I'd get that as an update here.

Thanks @henridf!

@philrz
Copy link
Contributor

philrz commented Dec 2, 2020

Oh, and more importantly, I've also verified with the draft Brim artifact rc-v0.21.0-suricatav5.0.3-brimpre2 that this update happens out-of-the-gate. That is, I installed the app via the Brim-Setup.exe and the app launched immediately as usual. I could see the update in the zqd-core.log (\r\n substitutions have been done for readability):

{"level":"info","ts":1606948951.7992604,"msg":"Suricata updater stdout","stdout":"2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\update.yaml
2/12/2020 -- 22:42:27 - <Info> -- Found Suricata version 5.0.3 at C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\bin\\suricata.exe.
2/12/2020 -- 22:42:27 - <Info> -- Loading C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\brim-conf.yaml
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol modbus
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol dnp3
2/12/2020 -- 22:42:27 - <Info> -- Disabling rules for protocol enip
2/12/2020 -- 22:42:27 - <Info> -- No sources configured, will use Emerging Threats Open
2/12/2020 -- 22:42:27 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
2/12/2020 -- 22:42:28 - <Info> -- Done.
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\app-layer-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\decoder-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dhcp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dnp3-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\dns-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\files.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\http-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ipsec-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\kerberos-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\modbus-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\nfs-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\ntp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smb-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\smtp-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\stream-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Loading distribution rule file C:\\Users\\phil\\AppData\\Local\\Brim\\app-0.20.0\\resources\\app\\zdeps\\suricata\\share\\suricata\\rules\\tls-events.rules
2/12/2020 -- 22:42:28 - <Info> -- Ignoring file rules/emerging-deleted.rules
2/12/2020 -- 22:42:31 - <Info> -- Loaded 28634 rules.
2/12/2020 -- 22:42:31 - <Info> -- Disabled 14 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Modified 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Dropped 0 rules.
2/12/2020 -- 22:42:31 - <Info> -- Enabled 145 rules for flowbit dependencies.
2/12/2020 -- 22:42:31 - <Info> -- Creating directory C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules.
2/12/2020 -- 22:42:31 - <Info> -- Backing up current rules.
2/12/2020 -- 22:42:31 - <Info> -- Writing rules to C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\suricata.rules: total: 28634; enabled: 21244; added: 28634; removed 0; modified: 0
2/12/2020 -- 22:42:31 - <Info> -- Writing C:\\Users\\phil\\AppData\\Roaming\\Brim\\suricata\\rules\\classification.config
2/12/2020 -- 22:42:31 - <Info> -- Skipping test, disabled by configuration.
2/12/2020 -- 22:42:31 - <Info> -- Done.
"}

As you can see, there was no refusal to download due to timestamps, checksums, etc., which is precisely what we'd hope for, since if the Brim package the user is installing is several days old, the Emerging Threats rules it got packaged with are already too old, so it's great to know they'll get current alerts out-of-the-gate.

@philrz
Copy link
Contributor

philrz commented Dec 2, 2020

And as one more form of verification, I can also testify that with that Brim artifact, the rules in question are ending up below a directory %APPDATA%\Brim\suricata. Part of what tipped us off to this original issue is that we were seeing the suricata directory being created under the usual Electron "user data" path on macOS/Linux, but not on Windows. Now with the benefit of this fix, right after that initial launch that triggers the Suricata update, we have:

C:\Program Files (x86)\Google\Cloud SDK>dir /s %APPDATA%\Brim\suricata
 Volume in drive C has no label.
 Volume Serial Number is FA0C-5C0F

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM    <DIR>          rules
12/02/2020  10:55 PM    <DIR>          update
12/02/2020  10:55 PM               176 update.yaml
               1 File(s)            176 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\rules

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM             3,250 classification.config
12/02/2020  10:55 PM        16,024,995 suricata.rules
               2 File(s)     16,028,245 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM    <DIR>          cache
               0 File(s)              0 bytes

 Directory of C:\Users\phil\AppData\Roaming\Brim\suricata\update\cache

12/02/2020  10:55 PM    <DIR>          .
12/02/2020  10:55 PM    <DIR>          ..
12/02/2020  10:55 PM         2,827,063 70d9eddbf429eafe2b741e615a00a74a-emerging.rules.tar.gz
               1 File(s)      2,827,063 bytes

     Total Files Listed:
               4 File(s)     18,855,484 bytes
              11 Dir(s)  30,895,759,360 bytes free

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philrz philrz philrz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@henridf @philrz