Project

General

Profile

Actions

Feature #2357

closed

Feature request. Initial Downloading ruleset

Added by Aleksander Aksenov over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hello,

Just faced with problem related to downloading latest 'Emerging Threats ruleset ' immediately after update suricata.deb package.
Problem connected to PCI DSS standard and direct access prohibition to repository with rulesets.
We have up and running local repository. It work fine.
But for update/installation process it doesn't work.

It looks like below:

$ sudo dpkg --configure -a
Setting up suricata (4.0.3-1ubuntu2) ...
Download and install the latest Emerging Threats Open ruleset

My Request is to amend debian post installation script and remove following part of postinstall script:

echo "Download and install the latest Emerging Threats Open ruleset \n"
echo "Downloading..."
/bin/mkdir -p /etc/suricata/rules
/usr/bin/wget --timeout=10 -qO - https://rules.emergingthreats.net/open/suricata/ > /dev/null && \
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
if [ $? -eq 0 ]; then
echo "Latest ET Open rule set deployed in /etc/suricata/rules !"
else
echo "Please check your connection - could not download ruleset from: "
echo "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz"
echo "Skipping download"
fi


Files

example.png (10.2 KB) example.png Wget wrong timeout handler. Aleksander Aksenov, 12/21/2017 10:54 AM
example2.png (13 KB) example2.png Aleksander Aksenov, 12/22/2017 05:10 AM
Actions #1

Updated by Peter Manev over 6 years ago

The postinst script should not stop the installation itself. It should simply skip that step if it times out.
It was actually coming from this feature request (very similar to what you are mentioning) - https://redmine.openinfosecfoundation.org/issues/1730

In your case does it not update at all?

Actions #2

Updated by Aleksander Aksenov over 6 years ago

Hi,

Yes, it is the same issue.
Time out to long. It takes about 20 minutes before completed with no result.
It affects management through ansible playbooks. Due to suricata package installation or update process not return 0 code in time that allowed for ansible playbooks.

Actions #3

Updated by Aleksander Aksenov over 6 years ago

Hello,

Just checked with

0.0.0.0 rules.emergingthreats.net

It works fine. Downloading skipping as it have to be.

Thanks. Incident can be closed.

Just only one wish - please add information about it into documentation in Installation part.

Actions #4

Updated by Peter Manev over 6 years ago

  • Assignee set to Peter Manev

We can amend the docs for sure.
I will also test out a smaller timeout (the reported 20 min seems too big)

This could also be handled differently in the near future with https://github.com/OISF/suricata-update comming into stable.

Actions #5

Updated by Andreas Herz over 6 years ago

  • Target version set to Documentation

What exactly would you want to have covered in the documentation?

Actions #6

Updated by Aleksander Aksenov over 6 years ago

Hello,

I have tested it with different wget timeouts. It looks like it multiplies at 3. And as a result instead 5 seconds it hangs on up to 15-17 seconds(general timeout + dns resolution timeout + connect timeout + read timeout).

What about documentation, I'w rather to see notice regarding how to disable downloading of rulesets at installation stage.

Actions #7

Updated by Aleksander Aksenov over 6 years ago

Aleksander Aksenov wrote:

Hello,

I have tested it with different wget timeouts. It looks like it multiplies at 4. And as a result instead 5 seconds it hangs on up to 15-17 seconds(general timeout + dns resolution timeout + >connect timeout + read timeout). Also it looks like wget counts minutes instead of seconds.

Example in the attachement.

What about documentation, I'w rather to see notice regarding how to disable downloading of rulesets at installation stage.

Actions #8

Updated by Peter Manev over 6 years ago

Aleksander,

Can you try/test out adding "--tries=1" to the command -

/usr/bin/wget --timeout=10s --tries=1 -qO - https://rules.emergingthreats.net/open/suricata/

Would it make any difference timewise?
Actions #9

Updated by Aleksander Aksenov over 6 years ago

Hi Peter,

Now it much more convenient(approx 20s).
Please see attached screen shot.

Actions #10

Updated by Peter Manev over 6 years ago

Ok,
Thank you for confirming.
I can amend the script for the next release as a workaround.

Actions #11

Updated by Peter Manev about 6 years ago

  • Status changed from New to Closed
  • Target version changed from Documentation to 4.0.4

That should be fixed in the current PPA.

Actions

Also available in: Atom PDF