zui
zui copied to clipboard
Published
20 hours ago •
brimdata
brimdata
Lack of default openssl on Fedora 36 prevents suricataupdater from running
While running tests for #2482 I bumped into a problem with the RPM-based install on Fedora 36. The app seemed to be accepting pcap imports ok, but on closer inspection I could see that the expected Suricata alerts were either missing or only useless "protocol decode" ones. On closer inspection, I could see this was because the Suricata updater had not run successfully and so the Emerging Threats rules were not in effect during the pcap import. I didn't have this problem with the DEB-based installs on Ubuntu, though.
At the shell, I reproduced the way the app invokes suricataupdater, and this revealed the problem:
$ export BRIM_SURICATA_USER_DIR="$(pwd)/suricata"
$ /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/suricataupdater
/opt/Brim/resources/app.asar.unpacked/zdeps/suricata/suricataupdater: line 20: openssl: command not found
11/8/2022 -- 15:05:12 - <Info> -- Loading /home/phil/.config/Brim/data/suricata/update.yaml
11/8/2022 -- 15:05:12 - <Info> -- Found Suricata version 5.0.3 at /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/bin/suricata.
11/8/2022 -- 15:05:12 - <Info> -- Loading /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/brim-conf.yaml
11/8/2022 -- 15:05:12 - <Info> -- Disabling rules for protocol modbus
11/8/2022 -- 15:05:12 - <Info> -- Disabling rules for protocol dnp3
11/8/2022 -- 15:05:12 - <Info> -- Disabling rules for protocol enip
11/8/2022 -- 15:05:12 - <Info> -- No sources configured, will use Emerging Threats Open
11/8/2022 -- 15:05:12 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
11/8/2022 -- 15:05:12 - <Error> -- Failed to fetch https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/app-layer-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/decoder-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dhcp-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dnp3-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dns-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/files.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/http-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/ipsec-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/kerberos-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/modbus-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/nfs-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/ntp-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/smb-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/smtp-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/stream-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/tls-events.rules
11/8/2022 -- 15:05:12 - <Info> -- Loaded 344 rules.
11/8/2022 -- 15:05:12 - <Info> -- Disabled 14 rules.
11/8/2022 -- 15:05:12 - <Info> -- Enabled 0 rules.
11/8/2022 -- 15:05:12 - <Info> -- Modified 0 rules.
11/8/2022 -- 15:05:12 - <Info> -- Dropped 0 rules.
11/8/2022 -- 15:05:12 - <Info> -- Enabled 0 rules for flowbit dependencies.
11/8/2022 -- 15:05:12 - <Info> -- Backing up current rules.
11/8/2022 -- 15:05:12 - <Info> -- Writing rules to /home/phil/.config/Brim/data/suricata/rules/suricata.rules: total: 344; enabled: 288; added: 0; removed 0; modified: 0
11/8/2022 -- 15:05:12 - <Info> -- Writing /home/phil/.config/Brim/data/suricata/rules/classification.config
11/8/2022 -- 15:05:12 - <Info> -- No changes detected, exiting.
Indeed, I could then see that the openssl command was not present on my out-of-the-box default Fedora 36 install. When I installed it manually, now the Suricata update succeeded.
$ sudo yum install openssl
Last metadata expiration check: 1:26:02 ago on Thu 11 Aug 2022 01:40:18 PM PDT.
Dependencies resolved.
===============================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================
Installing:
openssl x86_64 1:3.0.5-1.fc36 updates 1.1 M
Upgrading:
openssl-libs x86_64 1:3.0.5-1.fc36 updates 2.1 M
Transaction Summary
===============================================================================================================================================================================
Install 1 Package
Upgrade 1 Package
Total download size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): openssl-3.0.5-1.fc36.x86_64.rpm 3.2 MB/s | 1.1 MB 00:00
(2/2): openssl-libs-3.0.5-1.fc36.x86_64.rpm 3.2 MB/s | 2.1 MB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.7 MB/s | 3.3 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : openssl-libs-1:3.0.5-1.fc36.x86_64 1/3
Installing : openssl-1:3.0.5-1.fc36.x86_64 2/3
Cleanup : openssl-libs-1:3.0.2-4.fc36.x86_64 3/3
Running scriptlet: openssl-libs-1:3.0.2-4.fc36.x86_64 3/3
Verifying : openssl-1:3.0.5-1.fc36.x86_64 1/3
Verifying : openssl-libs-1:3.0.5-1.fc36.x86_64 2/3
Verifying : openssl-libs-1:3.0.2-4.fc36.x86_64 3/3
Upgraded:
openssl-libs-1:3.0.5-1.fc36.x86_64
Installed:
openssl-1:3.0.5-1.fc36.x86_64
Complete!
$ /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/suricataupdater
11/8/2022 -- 15:06:26 - <Info> -- Loading /home/phil/.config/Brim/data/suricata/update.yaml
11/8/2022 -- 15:06:26 - <Info> -- Found Suricata version 5.0.3 at /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/bin/suricata.
11/8/2022 -- 15:06:26 - <Info> -- Loading /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/brim-conf.yaml
11/8/2022 -- 15:06:26 - <Info> -- Disabling rules for protocol modbus
11/8/2022 -- 15:06:26 - <Info> -- Disabling rules for protocol dnp3
11/8/2022 -- 15:06:26 - <Info> -- Disabling rules for protocol enip
11/8/2022 -- 15:06:26 - <Info> -- No sources configured, will use Emerging Threats Open
11/8/2022 -- 15:06:26 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
100% - 3423903/3423903
11/8/2022 -- 15:06:30 - <Info> -- Done.
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/app-layer-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/decoder-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dhcp-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dnp3-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/dns-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/files.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/http-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/ipsec-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/kerberos-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/modbus-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/nfs-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/ntp-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/smb-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/smtp-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/stream-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Loading distribution rule file /opt/Brim/resources/app.asar.unpacked/zdeps/suricata/share/suricata/rules/tls-events.rules
11/8/2022 -- 15:06:30 - <Info> -- Ignoring file rules/emerging-deleted.rules
11/8/2022 -- 15:06:32 - <Info> -- Loaded 35254 rules.
11/8/2022 -- 15:06:32 - <Info> -- Disabled 14 rules.
11/8/2022 -- 15:06:32 - <Info> -- Enabled 0 rules.
11/8/2022 -- 15:06:32 - <Info> -- Modified 0 rules.
11/8/2022 -- 15:06:32 - <Info> -- Dropped 0 rules.
11/8/2022 -- 15:06:32 - <Info> -- Enabled 131 rules for flowbit dependencies.
11/8/2022 -- 15:06:32 - <Info> -- Backing up current rules.
11/8/2022 -- 15:06:32 - <Info> -- Writing rules to /home/phil/.config/Brim/data/suricata/rules/suricata.rules: total: 35254; enabled: 27704; added: 34910; removed 0; modified: 0
11/8/2022 -- 15:06:32 - <Info> -- Writing /home/phil/.config/Brim/data/suricata/rules/classification.config
11/8/2022 -- 15:06:32 - <Info> -- Skipping test, disabled by configuration.
11/8/2022 -- 15:06:32 - <Info> -- Done.
By comparison, the out-of-the-box default Ubuntu 20.04 install I used in another test did have openssl present, which is why it didn't show the same symptom.
The good news is that a web search quickly revealed the electron-builder option that would automatically install OpenSSL as a dependency at the same time that the app RPM is installed. I've already tested this out and will include the fix in the PR I use to address #2482.
