Suricata Rule Set Update Fails
-
Since upgrading to 2.5.0 / 2.5.1 my rule set fails on every auto update, but as soon as i click the update button, it updates no problems.
-
@gwaitsi said in Suricata Rule Set Update Fails:
Since upgrading to 2.5.0 / 2.5.1 my rule set fails on every auto update, but as soon as i click the update button, it updates no problems.
Need a bit more info. Which rule set is failing? Is it Snort Subscriber Rules, Emerging Threats Open, Emerging Threats Pro, or Snort Community GLPv2 rules?
If Snort Subscriber Rules, which version are you trying to download? The Snort team deprecates older rule versions as newer versions of Snort are released. In that case, you have to change the filename of the Snort rules in Suricata on the GLOBAL SETTINGS tab to make sure you are downloading a currently available rules package.
Go check out this Sticky Post at the top of this sub-forum: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated.
-
@bmeeks
I mean from the main menu. i am using snortrules-snapshot-29170.tar.gzRule Set Name/Publisher Emerging Threats Open Rules Snort Subscriber Rules Snort GPLv2 Community Rule UPDATE YOUR RULE SET Last Update: May-28 2021 00:00 Result: failedabove is the result from the midnight refresh, below is from pressing the update now
UPDATE YOUR RULE SET Last Update: May-28 2021 06:53 Result: success -
I would recommend changing the time of your nightly check to an odd number of minutes past midnight. There have been instances in the past where boxes attemping an update at exactly midnight would collide with the changeout of the rules files on the servers, and that would cause an update failure. Simply changing the check time to a different minute, or even hour, value might help.
Also note that the Snort GPLv2 Community Rules have been accidentally removed, and then added back, by the Snort team at least twice in recent months. You still did not tell me which exact rule set failed to update. Was it all of them, or just one? You can tell by opening up and looking at the update log. Do this by clicking the button on the bottom of the UPDATES tab. That log file will also tell you why the update failed for a particular rule set.
-
@bmeeks I changed the time to 00:18, but also upgraded to 2.60 dev tree. Problem is solved, but not sure if changing the time or upgrading was the reason.
-
@gwaitsi said in Suricata Rule Set Update Fails:
Problem is solved, but not sure if changing the time or upgrading was the reason.
Old school rule: change only one thing at a time ... 
have a fine weekend,
fireodo -
@gwaitsi said in Suricata Rule Set Update Fails:
@bmeeks I changed the time to 00:18, but also upgraded to 2.60 dev tree. Problem is solved, but not sure if changing the time or upgrading was the reason.
My guess is changing the time was the solution. Currently, the Suricata package is the same on both the 2.5.x and 2.6.x pfSense branches.
