Expect
I hope to restart/reload suricata process in a container when suricata.yaml is updated.
I think suricata could receive HUP signal and reload configuration files and then changes take effect.
Test
User secur1ty is a normal user and I use secur1ty to start suricata process in the container.
start cmd
exec gosu secur1ty /opt/suricata/bin/suricata --af-packet -c /opt/suricata/etc/suricata/config/suricata.yaml
suricata.yaml
Summary
%YAML 1.1
---
vars:
address-groups: # to be customised
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
default-log-dir: /var/log/suricata-manual/
stats:
enabled: yes
interval: 8
outputs:
- fast:
enabled: no
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: suricata_event.json
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
metadata: yes # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
- anomaly:
enabled: no
types:
- http:
extended: yes # enable this for extended logging information
- dns:
enabled: yes
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
- smtp:
- dnp3
- ftp
- rdp
- nfs
- smb
- tftp
- ikev2
- dcerpc
- krb5
- snmp
- rfb
- sip
- dhcp:
enabled: yes
extended: no
- ssh
- mqtt
- http2
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
- flow
- metadata
- http-log:
enabled: yes
filename: http.log
append: yes
- tls-log:
enabled: yes # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
- tls-store:
enabled: yes
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
mode: normal # normal, multi or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: yes
log-packet-header: yes
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
- syslog:
enabled: no
facility: local5
- file-store:
version: 2
enabled: yes
dir: /var/log/suricata-filestore/filestore
write-fileinfo: yes
force-filestore: yes
stream-depth: 0
force-hash: [sha1, md5]
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- tcp-data:
enabled: no
type: file
filename: tcp-data.log
- http-body-data:
enabled: no
type: file
filename: http-data.log
- lua:
enabled: no
scripts:
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
af-packet:
- interface: enp0s3
threads: auto # customised
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes # customised
tpacket-v3: yes # customised
- interface: default
threads: auto
use-mmap: yes
tpacket-v3: yes
pcap:
- interface: eth0
- interface: default
pcap-file:
checksum-checks: auto
app-layer:
protocols:
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
krb5:
enabled: yes
snmp:
enabled: yes
ikev2:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
dcerpc:
enabled: yes
ftp:
enabled: yes
rdp:
enabled: yes
ssh:
enabled: yes
http2:
enabled: yes
http1-rules: no
smtp:
enabled: yes
raw-extraction: no
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
body-md5: no
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445
nfs:
enabled: yes
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100kb
response-body-limit: 100kb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: yes
type: both
compress-depth: 100kb
decompress-depth: 100kb
double-decode-path: no
double-decode-query: no
server-config:
modbus:
enabled: yes
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: yes
detection-ports:
dp: 20000
enip:
enabled: yes
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: yes
dhcp:
enabled: yes
sip:
enabled: yes
asn1-max-frames: 256
pid-file: /var/run/suricata.pid
coredump:
max-dump: unlimited
host-mode: auto
max-pending-packets: 15000 # to be customised
runmode: workers # customised autofp when testing pcap files, workers in run-time mode
unix-command:
enabled: no # default:auto
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
defrag:
memcap: 200mb # 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 512mb # 128mb customised
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 256mb # 64mb customised
checksum-validation: yes # reject incorrect csums
inline: yes # customised, auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
decoder:
teredo:
enabled: true
ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
vxlan:
enabled: true
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
vntag:
enabled: false
geneve:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
detect-thread-ratio: 1.0
luajit:
states: 128
profiling:
rules:
enabled: no
filename: rule_perf.log
append: yes
limit: 10
json: yes
keywords:
enabled: no
filename: keyword_perf.log
append: yes
prefilter:
enabled: no
filename: prefilter_perf.log
append: yes
rulegroups:
enabled: no
filename: rule_group_perf.log
append: yes
packets:
enabled: no
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
disable-offloading: true
netmap:
- interface: eth2
- interface: default
pfring:
- interface: eth0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
streams: ["0-3"]
enable-stream-stats: no
auto-config: yes
hardware-bypass: yes
inline: no
ports: [0-1,2-3]
hashmode: hash5tuplesorted
default-rule-path: /opt/suricata/etc/suricata/config/rules
rule-files:
- suricata.rules
classification-file: /opt/suricata/etc/suricata/config/rules/classification.config
reference-config-file: /opt/suricata/etc/suricata/reference.config
threshold-file: /opt/suricata/etc/suricata/threshold.config
suricata.log
Summary
/8/2023 -- 09:18:57 - <Notice> - rule reload starting
2/8/2023 -- 09:19:00 - <Info> - 1 rule files processed. 68786 rules successfully loaded, 0 rules failed
2/8/2023 -- 09:19:00 - <Info> - Threshold config parsed: 0 rule(s) found
2/8/2023 -- 09:19:02 - <Info> - 68789 signatures processed. 1205 are IP-only rules, 14797 are inspecting packet payload, 52759 inspect application layer, 0 are decoder event only
2/8/2023 -- 09:19:08 - <Info> - cleaning up signature grouping structure... complete
2/8/2023 -- 09:19:09 - <Notice> - rule reload complete
2/8/2023 -- 09:20:02 - <Notice> - Signal Received. Stopping engine.
2/8/2023 -- 09:20:03 - <Info> - time elapsed 93539.617s
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 7 requests
2/8/2023 -- 09:20:04 - <Info> - (W#01-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 9 requests
2/8/2023 -- 09:20:04 - <Info> - (W#02-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 5 requests
2/8/2023 -- 09:20:04 - <Info> - (W#03-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 10 requests
2/8/2023 -- 09:20:04 - <Info> - (W#04-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 10 requests
2/8/2023 -- 09:20:04 - <Info> - (W#05-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - TLS logger logged 12 requests
2/8/2023 -- 09:20:04 - <Info> - (W#06-enp0s3) certificates extracted 0
2/8/2023 -- 09:20:04 - <Info> - Alerts: 158
2/8/2023 -- 09:20:04 - <Info> - cleaning up signature grouping structure... complete
2/8/2023 -- 09:20:04 - <Notice> - Stats for 'enp0s3': pkts: 117495, drop: 0 (0.00%), invalid chksum: 0
2/8/2023 -- 09:20:31 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
2/8/2023 -- 09:20:31 - <Info> - CPUs/cores online: 6
2/8/2023 -- 09:20:31 - <Info> - Found an MTU of 1500 for 'enp0s3'
2/8/2023 -- 09:20:31 - <Info> - Found an MTU of 1500 for 'enp0s3'
2/8/2023 -- 09:20:31 - <Info> - eve-log output device (regular) initialized: suricata_event.json
2/8/2023 -- 09:20:31 - <Info> - DNP3 log sub-module initialized.
2/8/2023 -- 09:20:31 - <Info> - DNP3 log sub-module initialized.
2/8/2023 -- 09:20:31 - <Info> - http-log output device (regular) initialized: http.log
2/8/2023 -- 09:20:31 - <Info> - tls-log output device (regular) initialized: tls.log
2/8/2023 -- 09:20:31 - <Info> - storing certs in /var/log/suricata/
2/8/2023 -- 09:20:31 - <Info> - stats output device (regular) initialized: stats.log
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore/00
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore/01
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore/02
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore/03
2/8/2023 -- 09:20:31 - <Info> - Filestore (v2) creating directory /var/log/suricata-filestore-test/filestore/04
...
2/8/2023 -- 10:45:46 - <Info> - 1 rule files processed. 68786 rules successfully loaded, 0 rules failed
2/8/2023 -- 10:45:47 - <Info> - Threshold config parsed: 0 rule(s) found
2/8/2023 -- 10:45:49 - <Info> - 68789 signatures processed. 1205 are IP-only rules, 14797 are inspecting packet payload, 52759 inspect application layer, 0 are decoder event only
2/8/2023 -- 10:45:53 - <Info> - Going to use 6 thread(s)
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:53 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any valid magic files!
2/8/2023 -- 10:45:54 - <Notice> - all 6 packet processing threads, 4 management threads initialized, engine started.
2/8/2023 -- 10:45:54 - <Info> - All AFP capture threads are running.
2/8/2023 -- 10:48:32 - <Notice> - rule reload starting
2/8/2023 -- 10:48:35 - <Info> - 1 rule files processed. 68786 rules successfully loaded, 0 rules failed
2/8/2023 -- 10:48:36 - <Info> - Threshold config parsed: 0 rule(s) found
2/8/2023 -- 10:48:37 - <Info> - 68789 signatures processed. 1205 are IP-only rules, 14797 are inspecting packet payload, 52759 inspect application layer, 0 are decoder event only
2/8/2023 -- 10:48:43 - <Info> - cleaning up signature grouping structure... complete
2/8/2023 -- 10:48:43 - <Notice> - rule reload complete
My steps
oot@xo:/# ps -ef
UID PID PPID C STIME TTY TIME CMD
secur1ty 1 0 1 09:20 ? 00:01:26 /opt/suricata/bin/suricata --af-packet -c /opt/suricata/etc/suricata/config/suricata.yaml
root 95 1 0 09:20 ? 00:00:00 /usr/sbin/cron
root 107 0 0 09:20 pts/1 00:00:00 bash
I execute the command to hope suricata could reload, but nothing happens and there is no logs in suricata.log.
kill -HUP 1
BUT, I execute the command suricata has some outputs.
kill -USR2 1
2/8/2023 -- 10:48:32 - <Notice> - rule reload starting
2/8/2023 -- 10:48:35 - <Info> - 1 rule files processed. 68786 rules successfully loaded, 0 rules failed
2/8/2023 -- 10:48:36 - <Info> - Threshold config parsed: 0 rule(s) found
2/8/2023 -- 10:48:37 - <Info> - 68789 signatures processed. 1205 are IP-only rules, 14797 are inspecting packet payload, 52759 inspect application layer, 0 are decoder event only
2/8/2023 -- 10:48:43 - <Info> - cleaning up signature grouping structure... complete
2/8/2023 -- 10:48:43 - <Notice> - rule reload complete
ENV
Suricata: 6.0.9
Debian11
Docker Server: 23.0
gosu 1.12
Why suricata cannot receive HUP or suricata cannot reload/restart?
Could you please give me some ideas for that ?
Thanks~
