Suricata /Telegraf错误:客户端消息太长，断开连接

Question

我在使用unix_stream套接字连接Suricata和Telegraf时遇到了问题：

Host: Ubuntu 20.04
Docker: SURICATA_VERSION=6.0.6
Docker: INFLUXDB_VERSION=2.1.1
Docker: TELEGRAF_VERSION=1.21

Suricata confg：

 - eve-log:
 enabled: yes
 filetype: unix_stream
 filename: /var/run/suricata/suricata-command.socket
 types:
   - stats:
       totals: no       # stats for all threads merged together
       threads: yes       # per thread stats

Telegraf配置：

# Suricata stats and alerts plugin
[[inputs.suricata]]
  ## Data sink for Suricata stats and alerts logs
  # This is expected to be a filename of a
  # unix socket to be created for listening.
  source = "/tmp/suricata-command.socket"

  # Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
  # becomes "detect_alert" when delimiter is "_".
  delimiter = "_"

  ## Detect alert logs
  # alerts = false

Suricata容器日志中显示的错误：

25/7/2022 -- 09:56:27 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Write error on Unix socket "/var/run/suricata/suricata-command.socket": Broken pipe; reconnecting...
25/7/2022 -- 09:56:27 - <Notice> - Reconnected socket "/var/run/suricata/suricata-command.socket"
25/7/2022 -- 09:56:27 - <Info> - Command server: client message is too long, disconnect him.

Answer 1

由于Suricata和Telegraf之间的套接字的创建，集装箱的有序部署已经解决了这个问题。

正确的部署顺序是InfluxDB、Telegraf和Suricata。

此外，应该考虑授予套接字的权限。

下面的GitHub存储库记录了所有遵循的过程。我还包括已进行的故障排除。

Answer 2

更新:通过在容器之间共享卷来解决套接字问题：

Suricata服务配置：

  suricata:
    image: jasonish/suricata:${SURICATA_VERSION}
    container_name: suricata
    #user: root
    #profiles: ["suricata"]
    restart: on-failure
    depends_on:
      - telegraf
    env_file:
      - './suricata/env.suricata'
    network_mode: "host"
    cap_add: 
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
    volumes:
      - ./suricata/suricata.yaml:/etc/suricata/suricata.yaml
      - ./suricata/log:/var/log/suricata
      - ./suricata/rules:/var/lib/suricata/rules
      - /var/run/shared:/var/run/suricata/

Telegraf服务配置：

  telegraf:
    container_name: telegraf
    image: telegraf:${TELEGRAF_VERSION}
    user: root
   #profiles: ["telegraf"]
    networks:
      - influx
    ports:
      - 8125:8125/udp
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8086/ping"]
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always
    depends_on:
      - influxdb
    env_file:
      - ./telegraf/telegraf.env
    volumes:
      - ./telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro
      - /var/run/shared:/var/run/

主机中包含的套接字(共享卷)：

ubuntu@ip-172-31-31-38:~/composer-suri-tele-infl-graf$ ls -la /var/run/shared/
total 0
drwxrwxrwx  2 lxd   996   60 Jul 25 21:21 .
drwxr-xr-x 29 root root 1060 Jul 25 20:53 ..
srw-rw----  1 lxd   996    0 Jul 25 21:21 suricata-command.socket
ubuntu@ip-172-31-31-38:~/composer-suri-tele-infl-graf$

在Suricata容器中使用suricatasc工具测试套接字：

[root@ip-172-31-31-38 /]# suricatasc
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>> version
Success:
"6.0.6 RELEASE"
>>> capture-mode
Success:
"AF_PACKET_DEV"
>>> iface-list
Success:
{
    "count": 1,
    "ifaces": [
        "eth0"
    ]
}
>>> iface-stat eth0
Success:
{
    "bypassed": 0,
    "drop": 0,
    "invalid-checksums": 0,
    "pkts": 9198
}
>>>

然而，我仍然没有看到suricata的指标涌入：

​

有什么建议吗？

Answer 3

更新。为了测试套接字，我在telegraf容器上安装了https://github.com/OISF/suricata/tree/master/python/suricata/sc工具：

root@dd39f97b4f3f:/suricata/python# suricatasc
Unable to connect to socket @e_localstatedir@/suricata-command.socket: [Errno 2] No such file or directory
root@dd39f97b4f3f:/suricata/python# suricatasc /var/run/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>> iface-list
Success:
{
    "count": 1,
    "ifaces": [
        "eth0"
    ]
}
>>> iface-stat eth0
Success:
{
    "bypassed": 0,
    "drop": 11284,
    "invalid-checksums": 2,
    "pkts": 183099
}