SO installation problem

Skip to first unread message


Jun 4, 2015, 6:43:39 AM6/4/15

I tried to install SO ( and got errors during installation (step 13):

Setting up securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) ...
/etc/nsm/ossec/ossec_agent.conf does not exist, copying.
Setting up securityonion-sguil-sensor (20141004-0ubuntu0securityonion9) ...
* Reloading AppArmor profiles [100G Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

[94G[ OK ]
* If running any sensor processes, please restart them by running the following:
sudo nsm_sensor_ps-restart
* OR restart all NSM processes by running the following:
sudo service nsm restart
Setting up securityonion-daq (2.0.4-0ubuntu0securityonion2) ...
Setting up securityonion-pfring-daq (20121107-0ubuntu0securityonion9) ...
Setting up securityonion-snort ( ...
touch: cannot touch `/etc/nsm/rules/white_list.rules': No such file or directory
dpkg: error processing securityonion-snort (--configure):
subprocess installed post-installation script returned error exit status 1
Setting up securityonion-sostat (20120722-0ubuntu0securityonion34) ...
Setting up securityonion-suricata (2.0.8-0ubuntu0securityonion1) ...
dpkg: dependency problems prevent configuration of securityonion-sensor:
securityonion-sensor depends on securityonion-snort; however:
Package securityonion-snort is not configured yet.
dpkg: error processing securityonion-sensor (--configure):
dependency problems - leaving unconfigured
Setting up securityonion-capme (20121213-0ubuntu0securityonion20) ...

Doug Burks

Jun 4, 2015, 7:14:21 AM6/4/15
Hi andrisas,

I was able to duplicate your issue and it looks like the
/etc/nsm/rules/ directory is not being created before the
securityonion-snort package tries to create files in that directory.
I know this worked properly recently, so something might have changed
relating to the order in which packages are installing.

In any case, I was able to resolve it by simply running the command
again ("sudo apt-get -y install securityonion-all"). At that point,
/etc/nsm/rules/ exists and the files can be created.

You could also avoid this issue by running the following command
before installing securityonion-all:
sudo mkdir -p /etc/nsm/rules/

I'm going to update the securityonion-snort package to do this
automatically and also check for error conditions like this.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> To post to this group, send email to
> Visit this group at
> For more options, visit

Doug Burks
Need Security Onion Training or Commercial Support?

Doug Burks

Jun 4, 2015, 7:50:15 AM6/4/15
securityonion-snort - is copying to our
testing PPA now if you'd like to test it out:


Jun 4, 2015, 10:11:57 AM6/4/15

Hi Doug,

Thanks for fast respond and help (that helped).

However, I have another issue: after sensor (server configuration seems ok, no any messages) configuration i get messages:

sed: can't read /etc/nsm/xxx-ethx/suricata.yaml: No such file or directory

grep: /etc/nsm/template/suricata/classification.config: No such file or directory
grep: /etc/nsm/template/suricata/reference.config: No such file or directory

Kevin Branch

Jun 4, 2015, 10:27:26 PM6/4/15
I am experiencing the same thing on a fresh install of SO-stable onto a newly installed Ubuntu 12.04 Server.  First the phase 2 sosetup process was derailed by securityonion-snort and then when I switched over to securityonion-test and reran the install, sosetup got past securityonion-snort just fine but later barked about a missing suricata.yaml file.  This appears to trace back to this part of my sosetup.log file:

# Please wait while creating Sguil sensor: Bulwark-bond0...
Creating new sensor: Bulwark-bond0
cp: cannot stat `/etc/nsm/templates/suricata/': No such file or directory

In fact, the entire suricata directory under /etc/nsm/templates/ is missing.  It appears this file is a template used for generating the suricata.yaml file for each sensor.

Could this be a problem with securityonion-suricata?  I don't know which package is responsible for populating /etc/nsm/templates/suricata/

I'm going to try copying that directory from another working SO system tomorrow and hope to find it a successful workaround while this is being sorted through.


Doug Burks

Jun 5, 2015, 5:05:24 AM6/5/15
Thanks for the bug reports!

securityonion-suricata - 2.0.8-0ubuntu0securityonion1 is missing the
debian/install file that creates /etc/nsm/rules/ (this is the root
cause of the first symptom in this thread) and copies the files to
/etc/nsm/templates/. I've created Issue 742 for this:

Doug Burks

Jun 5, 2015, 6:03:49 AM6/5/15
securityonion-suricata - 2.0.8-0ubuntu0securityonion2 is copying to
ppa:securityonion/test now.

Doug Burks

Jun 5, 2015, 6:09:51 AM6/5/15

Doug Burks

Jun 8, 2015, 9:29:45 AM6/8/15
The new Suricata package is copying to the stable PPA now:
Reply all
Reply to author
0 new messages