Suricata not recognising packets, but tshark does

Sorry I am confused. Why do we need two gpg keys, how do you create the specific ones shown in your solution. When I try to run dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb I get an error

sudo dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.de
dpkg-deb: error: 'libbpf4.19_4.19.118-2+deb10u1_armhf.de' is not a Debian format                                        archive

The extension of this file is de not deb

You omitted the trailing b.
Hereā€™s the commands that Jason gave to download and install libbpf:

curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

Weird, i get this error E: Invalid operation suricata
on this line apt -t buster-backports suricata. Should suricata already be installed before following those steps. If so, by doing the sudo apt-get method?

The command should probably be: apt install -t buster-backports suricata

I received this error when executing that command.
E: The value 'buster-backports' is invalid for APT::Default-Release as such a re lease is not available in the sources

Bumping this thread.

Do you really have

deb http://httpredir.debian.org/debian buster-backports main contrib

in your /etc/apt/sources.list, as mentioned in Jasonā€™s post above (#40)? And run sudo apt update afterwards? Your package manager does not seem to know that you added this extra repository.

Right I donā€™t think I have done the key generation correctly, can you walk me through it?. The source.list is correct:

sudo apt update
Get:1 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB]
Get:2 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB]
Get:3 http://httpredir.debian.org/debian buster-backports InRelease [46.7 kB]
Get:4 http://archive.raspberrypi.org/debian buster/main armhf Packages [330 kB]
Err:3 http://httpredir.debian.org/debian buster-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7                 237B7D453EC NO_PUBKEY 648ACFD622F3D138
Reading package lists... Done
W: GPG error: http://httpredir.debian.org/debian buster-backports InRelease: The following signatures co                 uldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD                 622F3D138
E: The repository 'http://httpredir.debian.org/debian buster-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The package manager needs to have the PGP keys to verify package sets from the new repository.
You first have to fetch the keys from a keyserver, e.g. the SKS one:

$ gpg --recv-keys --keyserver ipv4.pool.sks-keyservers.net 04EE7237B7D453EC
gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --recv-keys --keyserver ipv4.pool.sks-keyservers.net 648ACFD622F3D138
gpg: key DC30D7C23CBBABEE: public key "Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

then import them into your local APT key store:

$ gpg --export 04EE7237B7D453EC | sudo apt-key add -
OK
$ gpg --export 648ACFD622F3D138 | sudo apt-key add -
OK

Then your apt update should work.

1 Like

That all worked but when I do apt -t buster-backports suricata I get an error saying
E: Invalid operation suricata. Should I install suricata at this point using sudo apt-get install suricata?

I have already done:
curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

It should be

sudo apt install -t buster-backports suricata

where install is the operation, -t buster-backports is the -target distribution, and suricata is the package to install via apt.
With libbpf already present, that should pull in the rest of the dependencies from backports.

Great I now have it installed. I will now re run my tests and see what happens.

Okay, so I have suricata 5 and I can now pickup the ICMP packets. The issue now is I canā€™t seem to install the emerging rules I was using previously. Here is the install script I was using. Are the emerging rules still compatible with suricata v5?

#!/usr/bin/python

import os
import urllib2

suricatadirectory='/etc/suricata/'
md5file=suricatadirectory+'lastmd5'
rulesdirectory=suricatadirectory+'rules.tar.gz'
rulesurl='https://rules.emergingthreats.net/open-nogpl/suricata-2.0/emerging.rules.tar.gz'


#Actualizacion de reglas
def deploynewrules():
	os.system("wget " + rulesurl + " -o /tmp/wget.output -O" + rulesdirectory)
	os.system("tar -xzf " + rulesdirectory + " -C " + suricatadirectory)

#Comprobar si ha cambiado el md5
def md5change():
	re = urllib2.urlopen(rulesurl+".md5")
	newmd5 = re.read()

	oldmd5file = open(md5file,"r")
	oldmd5 = oldmd5file.read()
	oldmd5file.close()

	if newmd5!=oldmd5 :
		md5 = open (md5file,"w")
		md5.write(newmd5)
		md5.close()
		return 1

	else:
		return 0

def main():     
	if os.path.exists(md5file):
		if md5change():
			deploynewrules()
	else:
		re = urllib2.urlopen(rulesurl+".md5")
		newmd5 = re.read()
		md5 = open (md5file,"w")
		md5.write(newmd5)
		md5.close()
		deploynewrules()


if __name__ == '__main__':
	main()

Yes, The rules are compatible. Change your URL to https://rules.emergingthreats.net/open/suricata-git/emerging.rules.tar.gz and let us know how that works.

Yep,that works thanks! Could someone supply the default suricata.yaml file. I have moved my old one over to the new suricata v5, but it is causing issues.

I have reinstalled suricata v5 but the .yaml file did not regenerate. Could someone please provided the default suricata.yaml file for suricata v5?

Here you are:
suricata.yaml (68.9 KB)

Please make sure to adjust your rule and log paths.