SO installation problem

[and]

Hello,

I tried to install SO (https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu) and got errors during installation (step 13):


Setting up securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) ...
/etc/nsm/ossec/ossec_agent.conf does not exist, copying.
Setting up securityonion-sguil-sensor (20141004-0ubuntu0securityonion9) ...
* Reloading AppArmor profiles [100G Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

[94G[ OK ]
* If running any sensor processes, please restart them by running the following:
sudo nsm_sensor_ps-restart
* OR restart all NSM processes by running the following:
sudo service nsm restart
Setting up securityonion-daq (2.0.4-0ubuntu0securityonion2) ...
Setting up securityonion-pfring-daq (20121107-0ubuntu0securityonion9) ...
Setting up securityonion-snort (2.9.7.2-0ubuntu0securityonion2) ...
touch: cannot touch `/etc/nsm/rules/white_list.rules': No such file or directory
dpkg: error processing securityonion-snort (--configure):
subprocess installed post-installation script returned error exit status 1
Setting up securityonion-sostat (20120722-0ubuntu0securityonion34) ...
Setting up securityonion-suricata (2.0.8-0ubuntu0securityonion1) ...
dpkg: dependency problems prevent configuration of securityonion-sensor:
securityonion-sensor depends on securityonion-snort; however:
Package securityonion-snort is not configured yet.
dpkg: error processing securityonion-sensor (--configure):
dependency problems - leaving unconfigured
Setting up securityonion-capme (20121213-0ubuntu0securityonion20) ...

[Doug Burks]

Hi andrisas,

I was able to duplicate your issue and it looks like the
/etc/nsm/rules/ directory is not being created before the
securityonion-snort package tries to create files in that directory.
I know this worked properly recently, so something might have changed
relating to the order in which packages are installing.

In any case, I was able to resolve it by simply running the command
again ("sudo apt-get -y install securityonion-all"). At that point,
/etc/nsm/rules/ exists and the files can be created.

You could also avoid this issue by running the following command
before installing securityonion-all:
sudo mkdir -p /etc/nsm/rules/

I'm going to update the securityonion-snort package to do this
automatically and also check for error conditions like this.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Doug Burks]

securityonion-snort - 2.9.7.3-0ubuntu0securityonion3 is copying to our
testing PPA now if you'd like to test it out:
https://groups.google.com/d/topic/security-onion-testing/OoxThouUYoU/discussion

[and]

Hi Doug,

Thanks for fast respond and help (that helped).

However, I have another issue: after sensor (server configuration seems ok, no any messages) configuration i get messages:

sed: can't read /etc/nsm/xxx-ethx/suricata.yaml: No such file or directory

grep: /etc/nsm/template/suricata/classification.config: No such file or directory
grep: /etc/nsm/template/suricata/reference.config: No such file or directory

[Kevin Branch]

I am experiencing the same thing on a fresh install of SO-stable onto a newly installed Ubuntu 12.04 Server.  First the phase 2 sosetup process was derailed by securityonion-snort and then when I switched over to securityonion-test and reran the install, sosetup got past securityonion-snort just fine but later barked about a missing suricata.yaml file.  This appears to trace back to this part of my sosetup.log file:

# Please wait while creating Sguil sensor: Bulwark-bond0...

Creating new sensor: Bulwark-bond0

cp: cannot stat `/etc/nsm/templates/suricata/suricata.yaml.in': No such file or directory

In fact, the entire suricata directory under /etc/nsm/templates/ is missing.  It appears this suricata.yaml.in file is a template used for generating the suricata.yaml file for each sensor.

Could this be a problem with securityonion-suricata?  I don't know which package is responsible for populating /etc/nsm/templates/suricata/

I'm going to try copying that directory from another working SO system tomorrow and hope to find it a successful workaround while this is being sorted through.

Kevin

[Doug Burks]

Thanks for the bug reports!

securityonion-suricata - 2.0.8-0ubuntu0securityonion1 is missing the
debian/install file that creates /etc/nsm/rules/ (this is the root
cause of the first symptom in this thread) and copies the files to
/etc/nsm/templates/. I've created Issue 742 for this:
https://github.com/Security-Onion-Solutions/security-onion/issues/742

[Doug Burks]

securityonion-suricata - 2.0.8-0ubuntu0securityonion2 is copying to
ppa:securityonion/test now.

[Doug Burks]

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/2AcKp-B_cC0/discussion

[Doug Burks]

The new Suricata package is copying to the stable PPA now:
http://blog.securityonion.net/2015/06/new-securityonion-suricata-package.html