Feature #2357
closedFeature request. Initial Downloading ruleset
Description
Hello,
Just faced with problem related to downloading latest 'Emerging Threats ruleset ' immediately after update suricata.deb package.
Problem connected to PCI DSS standard and direct access prohibition to repository with rulesets.
We have up and running local repository. It work fine.
But for update/installation process it doesn't work.
It looks like below:
$ sudo dpkg --configure -a
Setting up suricata (4.0.3-1ubuntu2) ...
Download and install the latest Emerging Threats Open ruleset
My Request is to amend debian post installation script and remove following part of postinstall script:
echo "Download and install the latest Emerging Threats Open ruleset \n"
echo "Downloading..."
/bin/mkdir -p /etc/suricata/rules
/usr/bin/wget --timeout=10 -qO - https://rules.emergingthreats.net/open/suricata/ > /dev/null && \
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
if [ $? -eq 0 ]; then
echo "Latest ET Open rule set deployed in /etc/suricata/rules !"
else
echo "Please check your connection - could not download ruleset from: "
echo "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz"
echo "Skipping download"
fi
Files
Updated by Peter Manev about 7 years ago
The postinst script should not stop the installation itself. It should simply skip that step if it times out.
It was actually coming from this feature request (very similar to what you are mentioning) - https://redmine.openinfosecfoundation.org/issues/1730
In your case does it not update at all?
Updated by Aleksander Aksenov about 7 years ago
Hi,
Yes, it is the same issue.
Time out to long. It takes about 20 minutes before completed with no result.
It affects management through ansible playbooks. Due to suricata package installation or update process not return 0 code in time that allowed for ansible playbooks.
Updated by Aleksander Aksenov about 7 years ago
Hello,
Just checked with
0.0.0.0 rules.emergingthreats.net
It works fine. Downloading skipping as it have to be.
Thanks. Incident can be closed.
Just only one wish - please add information about it into documentation in Installation part.
Updated by Peter Manev about 7 years ago
- Assignee set to Peter Manev
We can amend the docs for sure.
I will also test out a smaller timeout (the reported 20 min seems too big)
This could also be handled differently in the near future with https://github.com/OISF/suricata-update comming into stable.
Updated by Andreas Herz about 7 years ago
- Target version set to Documentation
What exactly would you want to have covered in the documentation?
Updated by Aleksander Aksenov about 7 years ago
Hello,
I have tested it with different wget timeouts. It looks like it multiplies at 3. And as a result instead 5 seconds it hangs on up to 15-17 seconds(general timeout + dns resolution timeout + connect timeout + read timeout).
What about documentation, I'w rather to see notice regarding how to disable downloading of rulesets at installation stage.
Updated by Aleksander Aksenov about 7 years ago
- File example.png example.png added
Aleksander Aksenov wrote:
Hello,
I have tested it with different wget timeouts. It looks like it multiplies at 4. And as a result instead 5 seconds it hangs on up to 15-17 seconds(general timeout + dns resolution timeout + >connect timeout + read timeout). Also it looks like wget counts minutes instead of seconds.
Example in the attachement.
What about documentation, I'w rather to see notice regarding how to disable downloading of rulesets at installation stage.
Updated by Peter Manev about 7 years ago
Aleksander,
Can you try/test out adding "--tries=1" to the command -
/usr/bin/wget --timeout=10s --tries=1 -qO - https://rules.emergingthreats.net/open/suricata/
Would it make any difference timewise?
Updated by Aleksander Aksenov about 7 years ago
- File example2.png example2.png added
Hi Peter,
Now it much more convenient(approx 20s).
Please see attached screen shot.
Updated by Peter Manev about 7 years ago
Ok,
Thank you for confirming.
I can amend the script for the next release as a workaround.
Updated by Peter Manev almost 7 years ago
- Status changed from New to Closed
- Target version changed from Documentation to 4.0.4
That should be fixed in the current PPA.