CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Installer script fixes

Open ChrisThibodeaux opened this issue 6 months ago • 3 comments

Couple minor fixes to cape2.sh and yara_installer.sh:

  • Fix Suricata text replacement for file-store not correctly setting enabled: yes
  • Fix yara installer script issue from --directory /opt/CAPEv2 usage.

@doomedraven Do we even need to have this run in the installer script?

    # Run yara installer script
    sudo -u ${USER} /etc/poetry/bin/poetry --directory /opt/CAPEv2 run extra/yara_installer.sh

    if [ -d yara-python ]; then
        sudo rm -rf yara-python
    fi

Running poetry install should install yara-python. Fixing the script in the PR is going to cause the install of the latest yara-python, 4.5.2. I can update the pyproject.toml to reflect this and add it to this PR if this is the right place to do it.

ChrisThibodeaux avatar May 02 '25 16:05 ChrisThibodeaux

hey, thank you, sorry for long update i still not fully back. the issue with installing it from pypi vs source is that from source we compile with dotnet, as from pypi at least in past it wasn't installing that module, and i got tired going back and forth with it, anyway yara now is just in maintainece mode and we should move towards yara-x

doomedraven avatar Jun 06 '25 10:06 doomedraven

@doomedraven Makes sense to me. I can remove those changes and just keep in the Suricata config fixes if we want. No problem either way.

ChrisThibodeaux avatar Jun 06 '25 19:06 ChrisThibodeaux

i will do proper review once im back ,but till July i don't have much time

doomedraven avatar Jun 07 '25 05:06 doomedraven

hey sorry for long delay on this one, is summer and no much time to handle all. i was checking suricata yesterday and i guess we gonna move custom mods to include file so it will overwrite the defaults, which is easier to maintain, but i will have to test it, idk when

doomedraven avatar Jul 25 '25 07:07 doomedraven

Sounds good, thanks for circling back to this!

ChrisThibodeaux avatar Jul 25 '25 11:07 ChrisThibodeaux

FYI im reworking completely how we deal with suricata, it now will have include side config with all requires mods, so it simplify everything and no more need to care about spaces/tags etc, as described here https://forum.suricata.io/t/overide-suricata-configuation-file/3216/2

doomedraven avatar Jul 25 '25 11:07 doomedraven

So, sorry for long delay i finally got to this.

  1. i have rewrote suricata integration config to proper way.
  2. they removed socket mode in v8 sadly, that has negative performance impact as it requires to init engine each time when processing pcap, i tried to research solution but went to nowhere
  3. yara install i guess will become soon yara-x, as yara itself is in maintainance mode only

doomedraven avatar Jul 26 '25 19:07 doomedraven