From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cbhMD4TP2z2ykc for ; Tue, 30 Sep 2025 15:10:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cbhM91bBbz2xMF for ; Tue, 30 Sep 2025 15:10:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cbhM670Pgz17s; Tue, 30 Sep 2025 15:10:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1759245028; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AhvANDgUfLZLsgwo3ZsNZrbb0enWsrtfP9QlAg/Uqqw=; b=PikfulpCUBZjUgbSrWCvl3k/qKxqrIMzaNYvBgkvEId0pIy/gMKEzUnHghy3MwEtNxDBdl cRlGz2rRbaujH9AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1759245028; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AhvANDgUfLZLsgwo3ZsNZrbb0enWsrtfP9QlAg/Uqqw=; b=cW03IP2Uf4cZJ+B3HciJB8O0Wbzy+/JIqGJJ9a4UjWzMMbvifPUPQ6uxLoNbMpsdh1gGA+ 9PtuzDXTENTi3hdwsAucxHCVKI7fPzolQOIrD1Tq+wWy9FVktPV9j/BZKW8rHwBudxRZmP DSsOlfywezbswXxgVz0LtbLRxceiXUsyUbbiw9nNszBqHd/aEyoBklW0oqWXy4mR174XsK w/RftSOT6CG577M6+OeWTqZKPfjFRlRUtbI+y+siVweLJgVnRi6XPcBOhWTQnuw6aHIEBw y1yMw5lpa0GdOWIUnVoQrcMWWNlWNngHK6aOk3dkMtDpgbZmtoprQ6pNrm5uRw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: CU198 Testing - first feedback on Suricata alert email sending From: Michael Tremer In-Reply-To: Date: Tue, 30 Sep 2025 16:10:24 +0100 Cc: "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <65F4FF8E-3176-4A3F-A8EC-BFCBC9B775CE@ipfire.org> References: <40cff986-5ded-4b11-8479-83393662b9f2@ipfire.org> <82147ae8-47c7-4556-885e-f7c18d335f51@ipfire.org> <88bd3c15-9f22-4f07-b129-07913654a927@ipfire.org> <1cd07b64-14d6-43d8-9a8c-8832f4d16e63@ipfire.org> <841e4d71-af73-43be-9c01-609b7205411e@ipfire.org> <7e22fda0-f15c-44b5-a616-ade572a85cc9@ipfire.org> <81f8fa96-a9f9-4e47-912a-af4437ba6284@ipfire.org> <367abc50-5b3d-4d5b-bafd-f47159af0d25@ipfire.org> <0b37d207-14df-4766-86eb-b14d6291ec48@ipfire.org> <6938222F-3A64-48AC-B323-4BAA9A1A7469@ipfire.org> To: Adolf Belka Hello, This should be created here: = https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D82269b9647e2= 430a0f12fcb9a0319ba499c3bdee I added the script to the updater :( I wish I was doing better at this. = https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D9150cbddeb91= 3ce093f2f7e0669e4a8ab3265bb0 Best, -Michael > On 30 Sep 2025, at 16:02, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 30/09/2025 16:07, Michael Tremer wrote: >> Hello Adolf, >> Whoops, my bad=E2=80=A6 >> I cherry-picked the change into master: >> = https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Da950be6cd698= adb9d16c458c0189c7ec2bf7494c >> And after this, it all works well? >=20 > I will test and see but from my earlier testing I think the suricata = directory in /var/run will need to be created somewhere so that when = rebooting it is created. >=20 > In the update.sh script it creates that directory but after doing a = reboot it is no longer present and so suricata-reporter won't start as = it hasn't got the directory to place the pid file in. >=20 > That occurred for me after making the path changes in the = suricata-reporter file so I don't believe just having that change in = master by itself will be enough. >=20 > The directory for the database is fine as it is in the same directory = as the fastlog is placed so it already exists. >=20 > I can test your cherry picked change after it has been through the = nightly build and confirm one way or the other for the > /var/run/suricata/ directory. >=20 > Regards, >=20 > Adolf. >=20 >=20 >> -Michael >>> On 30 Sep 2025, at 12:46, Adolf Belka = wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On 30/09/2025 13:33, Adolf Belka wrote: >>>> Hi Michael, >>>> I looked at the source tarball for the suricata-reporter package = and the settings in the LFS etc should have given the correct = directories, ie /var/run/suricata/ and /var/log/suricata/ and in one of = my build systems, I checked in the build directory and that is what is = there. >>>> However it did not end up like that after the update so maybe = something went wrong in the nightly build for that package. >>>=20 >>> I have found out what happened. The lfs version in master only had >>>=20 >>> cd $(DIR_APP) && \ >>> ./configure \ >>> --prefix=3D/usr \ >>> --sysconfdir=3D/etc >>> cd $(DIR_APP) && make $(MAKETUNING) >>> cd $(DIR_APP) && make install >>>=20 >>> so it was missing the >>>=20 >>> --localstatedir=3D/var >>>=20 >>> line which was added into next but not merged back to master. >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>>=20 >>>> Regards, >>>> Adolf. >>>> On 30/09/2025 13:21, Adolf Belka wrote: >>>>> Hi Michael, >>>>>=20 >>>>> I kept looking at things and eventually found that the database = was set at /usr/var/log/suricata/ so I changed that line in = suricata-reporter as well and now I have triggered three alerts and I = got three emails. Yaaah. >>>>>=20 >>>>> Regards, >>>>>=20 >>>>> Adolf. >>>>>=20 >>>>>=20 >>>>> On 30/09/2025 12:47, Adolf Belka wrote: >>>>>> Hi Michael, >>>>>>=20 >>>>>> With the below fixes suricata-reporter is now running as a = process but setting of an alert still does not get any messages in the = dma logs and in the messages file there is nothing from suricata or = suricata-reporter. >>>>>>=20 >>>>>> Of course it could be that my fix for suricata-reporter gets it = running but not in the right way. So I will wait for your comments on my = findings in the emails below and try the testing again when you are = happy that suricata-reporter is working as it should be. >>>>>> Bear in mind that I have never done any coding with python, only = updated the packages. >>>>>>=20 >>>>>> Regards, >>>>>>=20 >>>>>> Adolf. >>>>>>=20 >>>>>>=20 >>>>>> On 30/09/2025 12:34, Adolf Belka wrote: >>>>>>> Hi Michael, >>>>>>>=20 >>>>>>> I might have found the reason for the problem or at least I was = able to get suricata-reporter running. >>>>>>>=20 >>>>>>> I had a go at reading through the suricata-reporter python code. = I found a line about setting the socket path that said >>>>>>>=20 >>>>>>> def socket_path(self): >>>>>>> return self.config.get("DEFAULT", "socket", >>>>>>> = fallback=3D"/usr/var/run/suricata/reporter.socket") >>>>>>>=20 >>>>>>> so I changed the last line to read = /var/run/suricata/reporter.socket instead of /usr/var... >>>>>>>=20 >>>>>>> and after that starting the suricata initscript also started the = suricata-reporter and I could see three processes running now, suricata, = suricata-watcher and suricata-reporter. >>>>>>>=20 >>>>>>> Will now test it out with some alerts. >>>>>>>=20 >>>>>>> Regards, >>>>>>>=20 >>>>>>> Adolf. >>>>>>>=20 >>>>>>> On 30/09/2025 12:20, Adolf Belka wrote: >>>>>>>> Hi Michael, >>>>>>>>=20 >>>>>>>> On 30/09/2025 11:47, Adolf Belka wrote: >>>>>>>>> Hi Michael, >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> On 30/09/2025 11:19, Michael Tremer wrote: >>>>>>>>>> Hallo Adolf, >>>>>>>>>>=20 >>>>>>>>>> You can simply remove any files in /var/spool/dma and make = sure that there are no sendmail processes running any more. >>>>>>>>>>=20 >>>>>>>>>> Regarding why the reporter is not sending any emails, we = might need to dig deeper. >>>>>>>>>>=20 >>>>>>>>>> If you kill the reporter when it is running as usual, you can = start it again in debug mode where it will stay in foreground and will = log to the console what it is doing. Maybe that will tell us a little = bit more. Launch it again like this: >>>>>>>>>>=20 >>>>>>>>>> suricata-reporter = --config=3D/var/ipfire/suricata/reporter.conf -vvv >>>>>>>>>=20 >>>>>>>>> I didn't even get to triggering an alert as suricata-reporter = didn't even want to start. >>>>>>>>>=20 >>>>>>>>> Single line error message >>>>>>>>> Failed to bind to socket: [Errno 2] No such file or directory >>>>>>>>=20 >>>>>>>> I tried restarting suricata from the cli and got the message = that suricata-reporter was not running from the stop step then after the = start step it said >>>>>>>>=20 >>>>>>>> Starting Intrusion Prevention Reporter... = [ OK ] >>>>>>>> /etc/rc.d/init.d/functions: line 534: = /var/run/suricata/reporter.pid: No such file or directory >>>>>>>>=20 >>>>>>>> I found that the /var/run/suricata/ directory did not exist. >>>>>>>>=20 >>>>>>>> I created it and tried restarting suricata again and got >>>>>>>>=20 >>>>>>>> Stopping Intrusion Prevention System... = [ OK ] >>>>>>>> Stopping Intrusion Prevention Reporter... Not running. = [ WARN ] >>>>>>>> Starting Intrusion Prevention Reporter... = [ OK ] >>>>>>>> Starting Intrusion Prevention System... = [ OK ] >>>>>>>>=20 >>>>>>>> But running the status command gave >>>>>>>>=20 >>>>>>>> suricata is running with Process ID(s) 8817. >>>>>>>> /usr/bin/suricata-reporter is not running but = /var/run/suricata/reporter.pid exists. >>>>>>>>=20 >>>>>>>> So my creating the suricata directory has allowed the pid to be = created but suricata-reporter hasn't started because it still has the = error message about the socket. So creating the suricata directory in = /var/run/ did not solve that problem. >>>>>>>>=20 >>>>>>>> Regards, >>>>>>>>=20 >>>>>>>> Adolf. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> Regards, >>>>>>>>>=20 >>>>>>>>> Adolf. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> If you then trigger an alert, you should see some activity = there and hopefully some problem as well if the email cannot be sent. >>>>>>>>>>=20 >>>>>>>>>> Best, >>>>>>>>>> -Michael >>>>>>>>>>=20 >>>>>>>>>>> On 29 Sep 2025, at 17:50, Adolf Belka = wrote: >>>>>>>>>>>=20 >>>>>>>>>>> Further info on the mailq stuff. >>>>>>>>>>>=20 >>>>>>>>>>> I went to /var/spool/dma/ and read the contents of some of = the files there. Basically they are related to a problem with arpwatch = and nothing to do with suricata-reporter. >>>>>>>>>>>=20 >>>>>>>>>>> I will need to separately try and figure out what is = happening to cause those. There are 13 entries in the dma directory, all = with the same date/time and I checked three different entries and they = were all related to arpwatch. >>>>>>>>>>>=20 >>>>>>>>>>> Regards, >>>>>>>>>>>=20 >>>>>>>>>>> Adolf. >>>>>>>>>>>=20 >>>>>>>>>>> On 29/09/2025 18:37, Adolf Belka wrote: >>>>>>>>>>>> Without any new alerts being triggered by the IPS the dma = logs showed more of those messages about error creating mbox root. >>>>>>>>>>>> I then triggered some more alerts in IPS and no new dma = messages were seen. >>>>>>>>>>>> I also checked the mailq output before and after triggering = the alerts and there were no additional entries compared to previously. >>>>>>>>>>>> Regards, >>>>>>>>>>>> Adolf. >>>>>>>>>>>> On 29/09/2025 18:10, Adolf Belka wrote: >>>>>>>>>>>>> Hi Michael, >>>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> On 29/09/2025 17:44, Michael Tremer wrote: >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Thanks for testing this. So let=E2=80=99s go through this = step by step=E2=80=A6 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> First of all, is the companion daemon running? It is a = process called suricata-reporter. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I couldn't find it. Running ps aux | grep suricata showed = suricata-watcher and suricata but no suricata-reporter. >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> If so, can you check if the configuration file has emails = enabled? It is in /var/ipfire/suricata/reporter.conf. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Yes there is enabled =3D true in the [email] section. >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> And finally, can you run =E2=80=9Cmailq=E2=80=9D to see = if the emails have been sent and maybe have bounced? >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Ran that command and got a load of stuff but I don't = understand it all all. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Here are just a few that were shown as examples >>>>>>>>>>>>>=20 >>>>>>>>>>>>> ID : 1a0794.335a3b40 >>>>>>>>>>>>> =46rom : >>>>>>>>>>>>> To : root >>>>>>>>>>>>> --=20 >>>>>>>>>>>>> ID : 1a078b.335a3b40 >>>>>>>>>>>>> =46rom : >>>>>>>>>>>>> To : root >>>>>>>>>>>>> --=20 >>>>>>>>>>>>> ID : 1a078a.335a3b40 >>>>>>>>>>>>> =46rom : >>>>>>>>>>>>> To : root >>>>>>>>>>>>> --=20 >>>>>>>>>>>>> ID : 1a0789.335a3b40 >>>>>>>>>>>>> =46rom : >>>>>>>>>>>>> To : root >>>>>>>>>>>>> --=20 >>>>>>>>>>>>> ID : 1a0788.335a3b40 >>>>>>>>>>>>> =46rom : >>>>>>>>>>>>> To : root >>>>>>>>>>>>> --=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I am also seeing the following in the dma logs >>>>>>>>>>>>>=20 >>>>>>>>>>>>> 17:15:00 dma[1a0792.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a0792.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a078c.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a078c.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a078a.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a078a.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a078e.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a078e.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a078a.335a3b40]: cannot execute = /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>>>>>> 17:15:00 dma[1a0788.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a0788.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a0790.335a3b40]: local delivery deferred: = can not create `/var/mail/root' >>>>>>>>>>>>> 17:15:00 dma[1a0790.335a3b40]: error creating mbox `root' >>>>>>>>>>>>> 17:15:00 dma[1a0792.335a3b40]: cannot execute = /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>>>>>> 17:15:00 dma[1a078c.335a3b40]: cannot execute = /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>>>>>> 17:15:00 dma[1a0792.335a3b40]: trying delivery >>>>>>>>>>>>> 17:15:00 dma[1a078c.335a3b40]: trying delivery >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Regards, >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Adolf. >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On 29 Sep 2025, at 13:58, Adolf Belka = wrote: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Forgot to mention, I pressed the test button on the Mail = Service WUI page and immediately received the test mail message. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> I use a mail server I have running on my local network. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Adolf. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On 29/09/2025 14:52, Adolf Belka wrote: >>>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>>> I just ran the update for CU198 Testing on my vm = systems. >>>>>>>>>>>>>>>> The update itself went fine without any error messages = or hiccups. >>>>>>>>>>>>>>>> I then went to test the IPS emailing of alerts. >>>>>>>>>>>>>>>> I used the same sender and recipient email addresses as = I have specified on the Mail Service WUI page. >>>>>>>>>>>>>>>> I set the alert severity to All, Including = Informational Alerts. >>>>>>>>>>>>>>>> I then followed the suricata testing process as defined = in >>>>>>>>>>>>>>>> = https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting >>>>>>>>>>>>>>>> and I ended up with alerts in the IPS-Logs but no email = message received. >>>>>>>>>>>>>>>> I checked the System logs for the mail system and there = was no message trying to be sent. I ran the test 7 times, so ended up = with 7 messages in the IPS-Logs. >>>>>>>>>>>>>>>> I then checked the IPS system Logs and there was no = mention of detecting the alerts and trying to send an email. >>>>>>>>>>>>>>>> I ran the command tail -f /var/log/messages so I could = see any additional log entries when I triggered the IPS alerts but again = nothing was shown when I triggered the alerts, although the messages did = end up in the IPS Logs section. >>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>> Adolf. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>=20 >=20