Suricata not downloading Maxmind Database
-
I added a fresh maxmind lic key to suricata, however on the maxmind side it shows that this key has never been used. I've restarted Suricata, manually ran updates, and also waited a few days to see if something kicks in. So far Suricata has yet to download the maxmind database. I also added a key for NTOP, that worked just fine.
-
Cany anyone confirm or deny the maxmind integration works ?
-
2025-04-18 06:00:01.627992 php-cgi 11804 [Suricata] Cleaning up temp files after GeoLite2-Country database update. 2025-04-18 06:00:01.627918 php-cgi 11804 [Suricata] The GeoLite2-Country IP database is up-to-date. 2025-04-18 06:00:00.348391 php-cgi 11804 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... -
@ngr2001 You can confirm update task from Services / Cron / Settings. I see command
/usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_geoipupdate.phpscheduled for every day @ 6:00 AM. -
So when I ran the above command, pfsense / suricata 100% reached out to maxmind and downloaded the newest database., see evidence below. The question is, why did it not automatically download. My updates are set to daily in GUI, I will keep an eye on it and see if starts working now. Whats the best way to validate the Cron Job.
-
I installed the Cron package, and noticed this, it looks like out of the box the cron job was set to only update on the 8th of the month. That seems really odd to me, I am going to manually adjust.
-
@ngr2001 IIRC MaxMind only updates its data monthly? Arguably Suricata should update once initially, though.
FWIW we do geo via pfBlocker.
-
Makes sense now, I assumed the maxmind updates would have inherited the update frequency from Suricata, as we now know that is not the case and it uses its own Cron job set to once per month.
Thanks for the help.
-
@ngr2001 said in Suricata not downloading Maxmind Database:
Makes sense now, I assumed the maxmind updates would have inherited the update frequency from Suricata, as we now know that is not the case and it uses its own Cron job set to once per month.
Thanks for the help.
When I wrote that code module, the Maxmind free database only updated once per month and the Maxmind folks were not keen on thousands of pfSense Suricata installs hitting their server daily or even hourly for some folks
. Thus the decision to just check once per month about a week past the first of the month. -
Makes sense.
Auto-updates are def working as expected now. To your point I adjusted my frequency to weekly, every Saturday at 4am. I think Maxmind pushes updates every Tuesday & Friday.
