One, thank you all for all you do here, love the product and the support!!
Two, it seems that parts of snort.org are down and so my suricata-update is attempting to reach out and download the latest version of snort’s v2 rules file but fails and that means (oddly to me, I thought it would fail and use the most recent version it already got) the whole suricata-update quits with an error.
<Error> -- Failed to copy file: The read operation timed out
As a temporary work-around, you could use the command line option –offline. But yes, this should probably succeed. We have a command line option –fail to be strict an error out on any failure. This should probably be one of the failure conditions that is allowed by default.
Maybe, I’m seeing how someone might want to step left from a naive state. It could be useful to error and to have instrumented conditionally executed follow-up elements.
Something like this might work?
#!/bin/bash
# Get Updated Sources
suricata-update update-sources --config /etc/suricata/update.yaml --suricata-conf /etc/suricata/suricata.yaml
# Get Rule Updates from Sources
suricata-update update --config /etc/suricata/update.yaml --suricata-conf /etc/suricata/suricata.yaml \
--show-advanced --output /etc/suricata/homelab -v --no-test --no-reload
# Catch exit code
exit_code=$?
# Check exit code and rerun in offline mode
if [ $exit_code -ne 0 ]; then
suricata-update update --config /etc/suricata/update.yaml --suricata-conf /etc/suricata/suricata.yaml \
--show-advanced --output /etc/suricata/homelab -v --offline --no-test --no-reload
echo "2nd suricata-update now finished, 1st suricata-update did not return 0."
else
echo "Already finished, 1st suricata-update returned 0."
fi
Also, it seems they fixed their issue at Snort as the downloads are working again, another step in my realization of the shared responsibility in resiliency.
After thinking about it for a bit, it might be neat to have an additional flag that is “rerun in offline”, and when doing so, simply download new from working according to cache policy and give list or sources and their state at the end of the run.
Something like –postfailrunoffline and it would output after the whole run an additional status detail of:
Source statuses:
EnabledSource1 - Hash Pull Failed, Updated - YYYY-MM-DDTHH:MM:SS
EnabledSource2 - Source Unavailable, Cached - YYYY-MM-DDTHH:MM:SS
EnabledSource3 - Hash Diff Found, Updated - YYYY-MM-DDTHH:MM:SS
EnabledSource3 - Hash Diff Same, Cached - YYYY-MM-DDTHH:MM:SS
EnabledSource4 - No Hash, Updated - YYYY-MM-DDTHH:MM:SS
EnabledSource5 - Source Unavailable, No Cache - YYYY-MM-DDTHH:MM:SS
The timestamps are all that sources data pull timestamp showing how fresh our data is as far as our Pull goes, honestly, if you are pulling old data for the first time that is its own issue… but the last one, EnabledSource5 should be “now” so that if you can a Source that isn’t working and you don’t have a cache, you see ‘Now’ and can track the error to how long it persists in logs.