Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata ETOpen rules failing to update

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 52 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RedDelPaPaR Offline
      RedDelPaPa
      last edited by

      Hello all,

      This is an older implementation of pfSense and Suricata running on a Netgate SG-3100 box.

      pfSense version: 2.4.4-RELEASE-p3 (arm)
      Suricata version: 4.1.7_2

      This firewall has been working flawlessly for years but recently has been producing a lot of false alerts/blocks in Suricata during basic internet usage. I have noticed that the ETOpen rules in Suricata have not been updating since early October. Here is the log:

      Starting rules update... Time: 2025-11-02 08:16:16
      Downloading Emerging Threats Open rules md5 file...
      Emerging Threats Open rules md5 download failed.
      Server returned error code 410.
      Server error message was: 410 Gone
      Emerging Threats Open rules will not be updated.
      The Rules update has finished. Time: 2025-11-02 08:16:17

      Is there any solution to this without going through a risky/painful upgrade to the entire firewall OS and packages?

      Thanks for any help,
      Nate

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        Emerging Threats creates Suricata rules packages for specific versions of the Suricata binary. If you are running the 4.1 package, that is way out of date on the binary as Suricata is now at version 7.0.11 on pfSense and 8.0 for upstream.

        The error message tells you what the problem is: "410 Gone". That means the URL is now invalid, and I'm not surprised as the Emerging Threats team has probably finally dropped support for that Suricata version that has been EOL for a few years.

        RedDelPaPaR 1 Reply Last reply Reply Quote 0
        • RedDelPaPaR Offline
          RedDelPaPa @bmeeks
          last edited by

          @bmeeks
          This makes sense. I was able to tweak with it some and inserted a custom url for the Suricata v5.0 rules files and it seems like it was able to pull a usable update?

          What do you think? Will this work ok for now?

          Thank you!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks @RedDelPaPa
            last edited by

            @RedDelPaPa said in Suricata ETOpen rules failing to update:

            @bmeeks
            This makes sense. I was able to tweak with it some and inserted a custom url for the Suricata v5.0 rules files and it seems like it was able to pull a usable update?

            What do you think? Will this work ok for now?

            Thank you!

            Should be okay so long as the v5 rules don't contain any syntax that is too "new" for the older 4.x Suricata binary on your system. The SG-3100 has a 32-bit ARM CPU which is basically obsolete. Suricata from version 5.x on moved critical pieces of code over to Rust from pure C. There is no "buildable" Rust library for 32-bit ARM chips, hence Suricata on the SG-3100 is stuck on an old and EOL (end-of-life) version. In my opinion, it's time to retire that hardware and move to a modern 64-bit Intel platform.

            RedDelPaPaR 1 Reply Last reply Reply Quote 0
            • RedDelPaPaR Offline
              RedDelPaPa @bmeeks
              last edited by

              @bmeeks
              Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.