Issues with so-suricata-testrule #14662
Replies: 1 comment
-
|
I've created an issue to look into this: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm not sure if this is the definitive fix, but it appears to be working so far in my environment. If anyone else has encountered this issue and found an alternative solution or can provide guidance on the proper method for performing a rule test I’d greatly appreciate the insight.
We are running a development mini-range with Security Onion in standalone mode. The current system specifications are as follows:
Version: 2.4.150
CPU: 16 cores @ 2.1 GHz
Memory: 64 GB RAM (20 GB in use)
Storage: 1 TB HDD
While testing custom rules on the manager, I encountered an error. To rule out any file path issues, I ensured all references used full absolute paths. Despite this, the error persisted.
admin@manager nsm$ sudo so-suricata-testrule /home/admin/rule_testing/rule.local /home/admin/rule_testing/icmp.pcap
sudo password for admin:
Running all.rules and /home/admin/rule_testing/rule.local against the following pcap: /home/admin/rule_testing/icmp.pcap
==== Begin Suricata Output ===
Notice: suricata: This is Suricata version 7.0.9 RELEASE running in USER mode
Info: cpu: CPUs/cores online: 16
Info: suricata: Setting engine mode to IDS mode by default
Info: privs: dropped the caps for main thread
Info: logopenfile: eve-log output device (regular) initialized: /nsm/eve-%Y-%m-%d-%H:%M.json
Error: log-pcap: The sguil-base-dir directory "/nsm/suripcap" supplied doesn't exist. Shutting down the engine
==== End Suricata Output ===
If any alerts hit, they will be displayed below:
End so-suricata-testrule
To resolve the issue, I edited the suricata.yaml file located at:
sudo vim /opt/so/conf/suricata/suricata.yaml
Within the configuration file, I found two separate pcap-log sections. It appeared that the second entry was conflicting with the first. To fix the conflict, I commented out the second block.
The two conflicting sections were:
First:
enabled: 'no'
filename: pcaplog_stats.log
append: 'yes'
Second:
enabled: 'yes'
compression: none
lz4-checksum: 'no'
lz4-level: 8
filename: '%n/so-pcap.%t'
limit: 1000mb
mode: multi
use-stream-depth: 'no'
conditional: all
dir: /nsm/suripcap
max-files: 27
By commenting out the second block, the error related to /nsm/suripcap was resolved, and I was able to proceed with rule testing successfully.
Beta Was this translation helpful? Give feedback.
All reactions