2.4.211 / so-soc / Sensoroni / Suricata ETOPEN sync / proxy env present / manual curl works / automatic sync fails.

[Novotny-Martin]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

other (please provide detail below)

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32GB

Storage for /

100GB

Storage for /nsm

512GB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Installation Method
existing deployment upgraded from 2.4.150

Installation Type
distributed: manager + 1 search node

Location
on-prem with Internet access via explicit proxy

Description
After upgrading to 2.4.211, Suricata community rules sync fails in Detections with Sync Failed.

What I verified

• so-soc container has proxy environment variables set
• manual curl from host works through proxy
• manual curl from inside so-soc also works through proxy
• downloaded ETOPEN tarball size is correct
• so-soc container IP is 172.17.1.34
• sensoroni-server.log shows:
  read tcp 172.17.1.34: -> :443: read: connection reset by peer

This suggests the automatic fetch performed by /opt/sensoroni/sensoroni may not be using the configured explicit proxy, even though proxy env vars are present and manual curl works from the same container.

Relevant log
failed to fetch ruleset: failed to download ruleset: Get "https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz": read tcp 172.17.1.34:->:443: read: connection reset by peer

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.