SELKS10 Initial configuration with errors

Hello
I´m sorry I´m new to SELKS and docker.
I installed SELKS 10 after building a usb drive (complete image with desktop, for bare metal with docker). My first try did not show any alerts although I made a single rule to do so. So, I decided to run easy-setup.sh again and follow the instructions on Docker · StamusNetworks/SELKS Wiki · GitHub
but on the readpcap.sh example, the output shows errors about not finding configuration files.
Notice: suricata: This is Suricata version 8.0.0-dev (5bd17934d 2024-06-25) running in USER mode [LogVersion:suricata.c:1157]
Error: reputation: opening ip rep file /etc/suricata/rules/scirius-categories.txt: No such file or directory [SRepLoadCatFile:reputation.c:357]
Error: reputation: failed to load reputation categories file /etc/suricata/rules/scirius-categories.txt [SRepInit:reputation.c:616]
Warning: classification-config: could not open: “/etc/suricata/rules/classification.config”: No such file or directory [SCClassConfInitContextAndLocalResources:util-classification-config.c:134]
Error: classification-config: please check the “classification-file” option in your suricata.yaml file [SCClassConfLoadClassificationConfigFile:util-classification-config.c:533]
Warning: detect: No rule files match the pattern /etc/suricata/rules/scirius.rules [ProcessSigFiles:detect-engine-loader.c:239]

What am I missing?
Thank you.

Sounds like it was not setup?
Did the setup finish ok - Docker ISO setup · StamusNetworks/SELKS Wiki · GitHub

Also please feel free to ask online the SELKS community in discord for faster response.

Hello, Peter!
I set up using the interactive easy-setup.sh. There were no error messages.

sudo
cd SELKS/docker/
./easy-setup.sh
docker compose up -d

Today I used the sequence on the doc you sent the link:

cd /opt/selksd/SELKS/docker/ && \
./easy-setup.sh --non-interactive --no-pull-containers -i tppdummy0 \
--iA --restart-mode always --es-memory 8G && \
docker-compose up -d 

I only replaced the dummy interface with the real ens3f1 and put it to the down state previous to make the readpcap:

ifconfig ens3f1 down

I reran

./readpcap.sh -c /home/selks-user/2023-01-Unit42-Wireshark-quiz.pcap

I manually deleted the files in fpc due to this error message:

Delete suricata logs:
rm: cannot remove '/opt/selksd/SELKS/docker/containers-data/suricata/logs/fpc': Directory not empty
ERROR

After running readpcap I got the same errors:

Deleting data from arkime
OK

send SIGHUP to suricata:
OK

Delete elasticsearch indexes:
OK

include: selks6-addin.yaml
suricata.yaml edited
Checking for capability sys_nice: yes
Checking for capability net_admin: yes
Info: conf-yaml-loader: Including configuration file selks6-addin.yaml. [ConfYamlParse:conf-yaml-loader.c:290]
Info: conf-yaml-loader: Configuration node ‘default-rule-path’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘rule-files’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘classification-file’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘reference-config-file’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘detect’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘stats’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘outputs’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘logging’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘app-layer’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Info: conf-yaml-loader: Configuration node ‘asn1-max-frames’ redefined. [ConfYamlParse:conf-yaml-loader.c:327]
Notice: suricata: This is Suricata version 8.0.0-dev (5bd17934d 2024-06-25) running in USER mode [LogVersion:suricata.c:1157]
Error: reputation: opening ip rep file /etc/suricata/rules/scirius-categories.txt: No such file or directory [SRepLoadCatFile:reputation.c:357]
Error: reputation: failed to load reputation categories file /etc/suricata/rules/scirius-categories.txt [SRepInit:reputation.c:616]
Warning: classification-config: could not open: “/etc/suricata/rules/classification.config”: No such file or directory [SCClassConfInitContextAndLocalResources:util-classification-config.c:134]
Error: classification-config: please check the “classification-file” option in your suricata.yaml file [SCClassConfLoadClassificationConfigFile:util-classification-config.c:533]
Warning: detect: No rule files match the pattern /etc/suricata/rules/scirius.rules [ProcessSigFiles:detect-engine-loader.c:239]
Warning: detect: 1 rule files specified, but no rules were loaded! [SigLoadSignatures:detect-engine-loader.c:358]
Warning: threshold-config: Error opening file: “/etc/suricata/rules/threshold.config”: No such file or directory [SCThresholdConfInitContext:util-threshold-config.c:176]
Notice: log-pcap: Ring buffer initialized with 0 files. [PcapLogInitRingBuffer:log-pcap.c:986]
Notice: threads: Threads created → W: 1 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1907]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2828]
Notice: pcap: read 1 file, 1049 packets, 902428 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
Successfully copied 921kB to arkime:/readpcap/

Any clue?
Thanks

Well, I restarted the environment to use -i tppdummy0 because suricata.log showed lots of this:

[40 - W#13-ens3f1] 2024-07-03 18:32:33 Warning: af-packet: ens3f1: can't reopen interface

I reran readpcap and got the same errors on 2023-12-18-TA577-Pikabot-infection-with-Cobalt-Strike.pcap
I opened the Scirius interface, set the time interval from 2023 but the Hunting Dashboards or Events show “No data”. But Evebox/events shows lots of packets.

I am using https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz as Source for Suricata.

Thanks for any clue.

I think you could try the following and see if it helps:

sudo -s

cd /opt/selksd/SELKS/docker/ && \
git pull && \ 
./easy-setup.sh --non-interactive -i tppdummy0 \
--iA --restart-mode always --es-memory 8G && \
docker-compose up -d 

Hello, Peter

git pull says “Already up to date”.

I think I will redownload and reinstall this version 10 from scratch. When I installed a previous version, I could see some Kibana Dashboards and visualisations. Now I no longer find them. I don´t know if the git pull comand would bring any missing component. I chose this version 10 because the previous version I installed was quite instable - sometimes the browser was refreshing every second telling the connection was lost. I am using Chrome to access remotely although this version is the “Complete Image with Desktop”.
I will inform you after the reinstallation, probably the version without desktop.
Thanks

You could also test it locally if needed on any Ubntu/RedHat etc via the docker compose , just FYI, without installing the ISO image.
Otherwise onne of the things to check is after the setup if all dockers are up and running docker ps -a

Hi, Peter
I reformatted the disk and installed Ubuntu Desktop. Then I git cloned SELKS from github. I had to install curl manually and modify install-deps.sh changing python to python3. Now SELKS is working, monitoring the local ethernet port.
Next step will be to monitor a mirrored port in my switch. Fingers crossed.
Thank you.

Hi,

install-deps.sh is not needed to be run for the docker install , it is only needed if you are building an ISO yourself.

Hi
Everything seems to be ok now, on Ubuntu.
Thank you.

No problem, glad to hear!