From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cbbXq0pPjz2ynT for ; Tue, 30 Sep 2025 11:33:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cbbXl5Lckz2xQW for ; Tue, 30 Sep 2025 11:33:27 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cbbXk5lzXz1N3; Tue, 30 Sep 2025 11:33:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1759232006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1XUQdAVDjbqydZqvDhWN/s9HJwr6fHjoCsYTEAthPxo=; b=wHEsaNP9LPLRrKwN4cQvQRxR5+cTD6tiY/1PAbAVbfpROPggajL0SOtnv1OjdtgIwPQu/M 1MNJE+spgEtNbwAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1759232006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1XUQdAVDjbqydZqvDhWN/s9HJwr6fHjoCsYTEAthPxo=; b=bBXldYh3l+XdAdKPNsOjxkdmc1vqhG0twxiaGfGwCkLcDMRikhAux2D9FWyRreSkckCwiV hWNEKPfoH6OE7WxUD8eCsX/+IFfTSkN43pJy+w1RGEwhrP47a9B3gGqbXwuwNsaAoDRWhk L4im8hQjXmNPG0z/m5KeiBx96iBj/96hNfu4z7yac+/fZT/FNaWG7gBufoPC9+nmzjwE/G Ezl34qjJXJLYLNGbzbhVGqvzpg9XHVTYOho6tdVTVhQOTLRplrCzNu5vtUPDA0xZfjbuP/ dKblDUVWXcZjaPb0QaOchMThAERYPRnzmLQYB74yqPHMD7jXkqU96ed2VcIvLw== Message-ID: Date: Tue, 30 Sep 2025 13:33:26 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: CU198 Testing - first feedback on Suricata alert email sending From: Adolf Belka To: Michael Tremer Cc: "IPFire: Development-List" References: <40cff986-5ded-4b11-8479-83393662b9f2@ipfire.org> <82147ae8-47c7-4556-885e-f7c18d335f51@ipfire.org> <88bd3c15-9f22-4f07-b129-07913654a927@ipfire.org> <1cd07b64-14d6-43d8-9a8c-8832f4d16e63@ipfire.org> <841e4d71-af73-43be-9c01-609b7205411e@ipfire.org> <7e22fda0-f15c-44b5-a616-ade572a85cc9@ipfire.org> <81f8fa96-a9f9-4e47-912a-af4437ba6284@ipfire.org> <367abc50-5b3d-4d5b-bafd-f47159af0d25@ipfire.org> Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Michael, I looked at the source tarball for the suricata-reporter package and the settings in the LFS etc should have given the correct directories, ie /var/run/suricata/ and /var/log/suricata/ and in one of my build systems, I checked in the build directory and that is what is there. However it did not end up like that after the update so maybe something went wrong in the nightly build for that package. Regards, Adolf. On 30/09/2025 13:21, Adolf Belka wrote: > Hi Michael, > > I kept looking at things and eventually found that the database was set at /usr/var/log/suricata/ so I changed that line in suricata-reporter as well and now I have triggered three alerts and I got three emails.  Yaaah. > > Regards, > > Adolf. > > > On 30/09/2025 12:47, Adolf Belka wrote: >> Hi Michael, >> >> With the below fixes suricata-reporter is now running as a process but setting of an alert still does not get any messages in the dma logs and in the messages file there is nothing from suricata or suricata-reporter. >> >> Of course it could be that my fix for suricata-reporter gets it running but not in the right way. So I will wait for your comments on my findings in the emails below and try the testing again when you are happy that suricata-reporter is working as it should be. >> Bear in mind that I have never done any coding with python, only updated the packages. >> >> Regards, >> >> Adolf. >> >> >> On 30/09/2025 12:34, Adolf Belka wrote: >>> Hi Michael, >>> >>> I might have found the reason for the problem or at least I was able to get suricata-reporter running. >>> >>> I had a go at reading through the suricata-reporter python code. I found a line about setting the socket path that said >>> >>>          def socket_path(self): >>>                  return self.config.get("DEFAULT", "socket", >>>                          fallback="/usr/var/run/suricata/reporter.socket") >>> >>> so I changed the last line to read /var/run/suricata/reporter.socket instead of /usr/var... >>> >>> and after that starting the suricata initscript also started the suricata-reporter and I could see three processes running now, suricata, suricata-watcher and suricata-reporter. >>> >>> Will now test it out with some alerts. >>> >>> Regards, >>> >>> Adolf. >>> >>> On 30/09/2025 12:20, Adolf Belka wrote: >>>> Hi Michael, >>>> >>>> On 30/09/2025 11:47, Adolf Belka wrote: >>>>> Hi Michael, >>>>> >>>>> >>>>> On 30/09/2025 11:19, Michael Tremer wrote: >>>>>> Hallo Adolf, >>>>>> >>>>>> You can simply remove any files in /var/spool/dma and make sure that there are no sendmail processes running any more. >>>>>> >>>>>> Regarding why the reporter is not sending any emails, we might need to dig deeper. >>>>>> >>>>>> If you kill the reporter when it is running as usual, you can start it again in debug mode where it will stay in foreground and will log to the console what it is doing. Maybe that will tell us a little bit more. Launch it again like this: >>>>>> >>>>>>    suricata-reporter --config=/var/ipfire/suricata/reporter.conf -vvv >>>>> >>>>> I didn't even get to triggering an alert as suricata-reporter didn't even want to start. >>>>> >>>>> Single line error message >>>>> Failed to bind to socket: [Errno 2] No such file or directory >>>> >>>> I tried restarting suricata from the cli and got the message that suricata-reporter was not running from the stop step then after the start step it said >>>> >>>> Starting Intrusion Prevention Reporter...                                               [  OK  ] >>>> /etc/rc.d/init.d/functions: line 534: /var/run/suricata/reporter.pid: No such file or directory >>>> >>>> I found that the /var/run/suricata/ directory did not exist. >>>> >>>> I created it and tried restarting suricata again and got >>>> >>>> Stopping Intrusion Prevention System...                                                 [  OK  ] >>>> Stopping Intrusion Prevention Reporter...    Not running.                               [ WARN ] >>>> Starting Intrusion Prevention Reporter...                                               [  OK  ] >>>> Starting Intrusion Prevention System...                                                 [  OK  ] >>>> >>>> But running the status command gave >>>> >>>> suricata is running with Process ID(s)  8817. >>>> /usr/bin/suricata-reporter is not running but /var/run/suricata/reporter.pid exists. >>>> >>>> So my creating the suricata directory has allowed the pid to be created but suricata-reporter hasn't started because it still has the error message about the socket. So creating the suricata directory in /var/run/ did not solve that problem. >>>> >>>> Regards, >>>> >>>> Adolf. >>>> >>>>> >>>>> Regards, >>>>> >>>>> Adolf. >>>>> >>>>>> >>>>>> If you then trigger an alert, you should see some activity there and hopefully some problem as well if the email cannot be sent. >>>>>> >>>>>> Best, >>>>>> -Michael >>>>>> >>>>>>> On 29 Sep 2025, at 17:50, Adolf Belka wrote: >>>>>>> >>>>>>> Further info on the mailq stuff. >>>>>>> >>>>>>> I went to /var/spool/dma/ and read the contents of some of the files there. Basically they are related to a problem with arpwatch and nothing to do with suricata-reporter. >>>>>>> >>>>>>> I will need to separately try and figure out what is happening to cause those. There are 13 entries in the dma directory, all with the same date/time and I checked three different entries and they were all related to arpwatch. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Adolf. >>>>>>> >>>>>>> On 29/09/2025 18:37, Adolf Belka wrote: >>>>>>>> Without any new alerts being triggered by the IPS the dma logs showed more of those messages about error creating mbox root. >>>>>>>> I then triggered some more alerts in IPS and no new dma messages were seen. >>>>>>>> I also checked the mailq output before and after triggering the alerts and there were no additional entries compared to previously. >>>>>>>> Regards, >>>>>>>> Adolf. >>>>>>>> On 29/09/2025 18:10, Adolf Belka wrote: >>>>>>>>> Hi Michael, >>>>>>>>> >>>>>>>>> >>>>>>>>> On 29/09/2025 17:44, Michael Tremer wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> Thanks for testing this. So let’s go through this step by step… >>>>>>>>>> >>>>>>>>>> First of all, is the companion daemon running? It is a process called suricata-reporter. >>>>>>>>> >>>>>>>>> I couldn't find it. Running ps aux | grep suricata showed suricata-watcher and suricata but no suricata-reporter. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> If so, can you check if the configuration file has emails enabled? It is in /var/ipfire/suricata/reporter.conf. >>>>>>>>> >>>>>>>>> Yes there is enabled = true in the [email] section. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> And finally, can you run “mailq” to see if the emails have been sent and maybe have bounced? >>>>>>>>> >>>>>>>>> Ran that command and got a load of stuff but I don't understand it all all. >>>>>>>>> >>>>>>>>> Here are just a few that were shown as examples >>>>>>>>> >>>>>>>>> ID    : 1a0794.335a3b40 >>>>>>>>>  From    : >>>>>>>>> To    : root >>>>>>>>> -- >>>>>>>>> ID    : 1a078b.335a3b40 >>>>>>>>>  From    : >>>>>>>>> To    : root >>>>>>>>> -- >>>>>>>>> ID    : 1a078a.335a3b40 >>>>>>>>>  From    : >>>>>>>>> To    : root >>>>>>>>> -- >>>>>>>>> ID    : 1a0789.335a3b40 >>>>>>>>>  From    : >>>>>>>>> To    : root >>>>>>>>> -- >>>>>>>>> ID    : 1a0788.335a3b40 >>>>>>>>>  From    : >>>>>>>>> To    : root >>>>>>>>> -- >>>>>>>>> >>>>>>>>> I am also seeing the following in the dma logs >>>>>>>>> >>>>>>>>> 17:15:00 dma[1a0792.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a0792.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a078c.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a078c.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a078a.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a078a.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a078e.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a078e.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a078a.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>> 17:15:00 dma[1a0788.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a0788.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a0790.335a3b40]:  local delivery deferred: can not create `/var/mail/root' >>>>>>>>> 17:15:00 dma[1a0790.335a3b40]:  error creating mbox `root' >>>>>>>>> 17:15:00 dma[1a0792.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>> 17:15:00 dma[1a078c.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory >>>>>>>>> 17:15:00 dma[1a0792.335a3b40]:  trying delivery >>>>>>>>> 17:15:00 dma[1a078c.335a3b40]:  trying delivery >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Adolf. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> -Michael >>>>>>>>>> >>>>>>>>>>> On 29 Sep 2025, at 13:58, Adolf Belka wrote: >>>>>>>>>>> >>>>>>>>>>> Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message. >>>>>>>>>>> >>>>>>>>>>> I use a mail server I have running on my local network. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Adolf. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 29/09/2025 14:52, Adolf Belka wrote: >>>>>>>>>>>> Hi All, >>>>>>>>>>>> I just ran the update for CU198 Testing on my vm systems. >>>>>>>>>>>> The update itself went fine without any error messages or hiccups. >>>>>>>>>>>> I then went to test the IPS emailing of alerts. >>>>>>>>>>>> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page. >>>>>>>>>>>> I set the alert severity to All, Including Informational Alerts. >>>>>>>>>>>> I then followed the suricata testing process as defined in >>>>>>>>>>>> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting >>>>>>>>>>>> and I ended up with alerts in the IPS-Logs but no email message received. >>>>>>>>>>>> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs. >>>>>>>>>>>> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email. >>>>>>>>>>>> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section. >>>>>>>>>>>> Regards, >>>>>>>>>>>> Adolf. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >