I download suricata-6.0.4.tar.gz and copied to a machine without internet
then run ./configure && make && make-conf
Then I tried to run rules manually , this was mentioned in suricata forum
with this command
suricata-update add-source et-local file:/home/xyz/Downloads/emerging-threats.tar.gz
But i got error
/usr/local/bin/suricata: error while loading shared libraries: libhtp.so.2: cannot open shared object file: No such file or directory
Traceback (most recent call last):
File "/usr/local/bin/suricata-update", line 33, in <module>
File "/usr/local/lib/python3.8/dist-packages/suricata/update/main.py", line 1307, in main
File "/usr/local/lib/python3.8/dist-packages/suricata/update/main.py", line 1017, in _main
File "/usr/local/lib/python3.8/dist-packages/suricata/update/config.py", line 202, in init
build_info = suricata.update.engine.get_build_info(_config["suricata"])
File "/usr/local/lib/python3.8/dist-packages/suricata/update/engine.py", line 43, in get_build_info
build_info_output = subprocess.check_output([suricata, "--build-info"])
File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/lib/python3.8/subprocess.py", line 516, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/usr/local/bin/suricata', '--build-info']' returned non-zero exit status 127.
I am getting same even if I simply run : suricata-update
Anyone can find out what’s issue . I need to install rules on a machine without internet
I followed this trick : Installing default Suricata 6.0.2 rules onto machine without internet access
This is the reason the error is occurring. Run
ldd /usr/local/bin/suricata | grep libhtp and paste your results here.
You can configure Suricata to use a bundled libhtp or specify the location of the libhtp library. Suricata depends/requires libhtp to execute properly.
Hi Solved this using sudo ldconfig ,
@Jeff_Lucovsky also wanted to know where I can see suricata logs . I added a plugin for kafka . It creates a topic but don’t send any data , where I can see logs generated by suricata for these events
Your plugin will determine what happens to the data and where it is logged.
Without any plugins, Suricata uses the information from the
outputs configuration section in the
default-log-dir setting determines where the log files will be placed (this can be overridden with the
-l /path/to/log-directory command line option.
I have determined plugin details in eve-output , it is not writing on disk i.e eve.json also not sending to kafka .
So i was wondering how to find where logs are going
Can you post the
outputs section from the Suricata configuration file – the
eve-log section is the most interesting for me to see.
filetype: kafka #regular|syslog|unix_dgram|unix_stream|redis
# Enable for multi-threaded eve.json output; output files are amended with
# with an identifier, e.g., eve.9.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
level: Alert ## Error, Warning, Notice, Info, Debug
Try using a
regular file as in the default config. Verify that works before attempting to log to Kafka, but please start a new topic here for Kafka, then maybe the people who can help with Kafka will see it.
Hi tried filetype as regular , didn’t work . Will create a new topic