Suricate Package Addition

[PrajeetGuha]

Closes: #1314

[Ana06]

@PrajeetGuha as we need this change for Suricata, I think we should add the package in the same PR (if you wish in a different commit) so that we can test them together.

You need to rebase to solve the conflict with the package version.

[Ana06]

@PrajeetGuha I see some activity in the PR, but I do not see the new package. @PrajeetGuha have you maybe forgotten to push the changes? 🤔 Let me know if you need help with anything.

[PrajeetGuha]

For the package to work, I had to install powershell-yaml module from Powershell Gallery for reading and editing the suricata.yaml of the tool. Can you provide me with details regarding where to put such installation code in the project?

Install-Module -Name powershell-yaml

The github action workflow will fail due to absence of the powershell module.

[PrajeetGuha]

Just a heads up! While reading the documentation, I came across this part where category selection is mentioned with a variable which we used to use previously. Might need changes to it. 🫡

[PrajeetGuha]

with the common.psm change, suricata as an app is identified but due to absence of installer cache folder, icon is not found.
I tested bindiff after common.psm changes and it looks like it is working without any issues.

[Ana06]

@PrajeetGuha

Just a heads up! While reading the documentation, I came across this part where category selection is mentioned with a variable which we used to use previously. Might need changes to it. 🫡

I have just updated the wiki, thanks for bringing it up!

[Ana06]

Thanks for all the work @PrajeetGuha! 💐

All code that could fail needs to be inside a try-catch with a VM-Write-Log-Exception $_ to better handle exceptions. It is always good to have new people contributing to the project, as we notice where we are lucking documentation. I have just documented the try-catch in https://github.com/mandiant/VM-Packages/wiki/Coding-Conventions. 😉

[PrajeetGuha]

Thanks for all the work @PrajeetGuha! 💐

All code that could fail needs to be inside a try-catch with a VM-Write-Log-Exception $_ to better handle exceptions. It is always good to have new people contributing to the project, as we notice where we are lucking documentation. I have just documented the try-catch in https://github.com/mandiant/VM-Packages/wiki/Coding-Conventions. 😉

Thanks!! Will check and add exceptions wherever necessary after the code is working as expected and is approved. 🫡

[Ana06]

@PrajeetGuha

Will check and add exceptions wherever necessary after the code is working as expected and is approved.

This should be easy to address. Normally all packages have just a single try-catch with most of the code inside 😉 Let me know if what I mean is not clear.

[Ana06]

I have reviewed the code, but I haven't been able to test the changes locally, as it seems there are issues with the feed (hopefully they resolve on their own soon as I think FLARE-VM/Commando VM are also broken because of this):

[Ana06]

I do not understand this change. 😕 Can you please explain me why this is needed @PrajeetGuha?

[PrajeetGuha]

VM-Packages/packages/common.vm/tools/vm.common/vm.common.psm1

Line 115 in 73997f2

if (($level -eq "ERROR") -Or ($level -eq "FATAL")) {

has $level=FATAL but the ValidateSet does not have it. This change is not related to this package implementation though.

[Ana06]

[nitpick] It is a good practice to not commit unrelated changes in the same commit. But I see why this is an enhancement now. 😉

[Ana06]

Google CLA test doesn't like my personal email as co-author. I think using [email protected] should be ok. I am also fine removing the co-author.

@PrajeetGuha did you add this manually or was it the GH interface? I would like to try to configure the email if it was the GH interface.

[PrajeetGuha]

Google CLA test doesn't like my personal email as co-author. I think using [email protected] should be ok. I am also fine removing the co-author.

@PrajeetGuha did you add this manually or was it the GH interface? I would like to try to configure the email if it was the GH interface.

It is the GH interface. I think it will not be problem when I squash and rebase the code after final review. Let me know if any changes are required.

[Ana06]

@PrajeetGuha so sorry for the late response, I had completely missed that you had made the changes 🙈

I have just tested locally and the suricata icon seems to be broken:

[Ana06]

[nitpick] It is a good practice to not commit unrelated changes in the same commit. But I see why this is an enhancement now. 😉

[PrajeetGuha]

@PrajeetGuha so sorry for the late response, I had completely missed that you had made the changes 🙈

It's fine 🫡

I have just tested locally and the suricata icon seems to be broken

Unfortunately with the present implementation, the installer cache was not found so no icon is attached to it. 😢 I have no alternative in mind to make it work.
#1375 (comment)

[Ana06]

@PrajeetGuha thanks for the answer, I had misunderstood that previous commit. @emtuls any ideas to find the icon? or should we merge it as it is (it needs a rebase)?

[emtuls]

We can grab the icon programmatically through a few ways, but the one I found to be easiest for me is to grab it from after it installs in this directory: %appData%\Microsoft\Installer\{GUID}

There you will find suricata.ico

We can obtain the GUID prior to installation with a small piece of code. For example (if we want to make this into a function):

function Get-MsiProductCode {
    param (
        [string]$msiFile
    )
    $installer = New-Object -ComObject WindowsInstaller.Installer
    $database = $installer.OpenDatabase($msiFile, 0)
    $view = $database.OpenView("SELECT `Value` FROM `Property` WHERE `Property`='ProductCode'")
    $view.Execute()
    return $view.Fetch().StringData(1)
}