Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not downloading Maxmind Database

    Scheduled Pinned Locked Moved IDS/IPS
    10 Posts 4 Posters 317 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      ngr2001
      last edited by

      I added a fresh maxmind lic key to suricata, however on the maxmind side it shows that this key has never been used. I've restarted Suricata, manually ran updates, and also waited a few days to see if something kicks in. So far Suricata has yet to download the maxmind database. I also added a key for NTOP, that worked just fine.

      5da085dc-a7e6-499e-a6ad-0fa497e7e7b8-image.png

      a0f38233-d9f7-4ac8-8a66-d0449986963b-image.png

      1 Reply Last reply Reply Quote 0
      • N
        ngr2001
        last edited by

        Cany anyone confirm or deny the maxmind integration works ?

        tinfoilmattT 2 Replies Last reply Reply Quote 0
        • tinfoilmattT
          tinfoilmatt @ngr2001
          last edited by tinfoilmatt

          @ngr2001

          2025-04-18 06:00:01.627992 	php-cgi 	11804 	[Suricata] Cleaning up temp files after GeoLite2-Country database update.
2025-04-18 06:00:01.627918 	php-cgi 	11804 	[Suricata] The GeoLite2-Country IP database is up-to-date.
2025-04-18 06:00:00.348391 	php-cgi 	11804 	[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
          1 Reply Last reply Reply Quote 0
          • tinfoilmattT
            tinfoilmatt @ngr2001
            last edited by

            @ngr2001 You can confirm update task from Services / Cron / Settings. I see command /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_geoipupdate.php scheduled for every day @ 6:00 AM.

            N 1 Reply Last reply Reply Quote 0
            • N
              ngr2001 @tinfoilmatt
              last edited by

              @tinfoilmatt

              So when I ran the above command, pfsense / suricata 100% reached out to maxmind and downloaded the newest database., see evidence below. The question is, why did it not automatically download. My updates are set to daily in GUI, I will keep an eye on it and see if starts working now. Whats the best way to validate the Cron Job.

              eebfa1f2-8b73-4a49-bd96-5b1996bdf483-image.png

              323dfc3c-3ef9-45ef-8397-794de86b5110-image.png

              N 1 Reply Last reply Reply Quote 0
              • N
                ngr2001 @ngr2001
                last edited by

                @ngr2001

                I installed the Cron package, and noticed this, it looks like out of the box the cron job was set to only update on the 8th of the month. That seems really odd to me, I am going to manually adjust.

                e648f192-dc12-43dc-a70d-e4b26bfdf916-image.png

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @ngr2001
                  last edited by

                  @ngr2001 IIRC MaxMind only updates its data monthly? Arguably Suricata should update once initially, though.

                  FWIW we do geo via pfBlocker.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    ngr2001 @SteveITS
                    last edited by

                    @SteveITS

                    Makes sense now, I assumed the maxmind updates would have inherited the update frequency from Suricata, as we now know that is not the case and it uses its own Cron job set to once per month.

                    Thanks for the help.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @ngr2001
                      last edited by

                      @ngr2001 said in Suricata not downloading Maxmind Database:

                      @SteveITS

                      Makes sense now, I assumed the maxmind updates would have inherited the update frequency from Suricata, as we now know that is not the case and it uses its own Cron job set to once per month.

                      Thanks for the help.

                      When I wrote that code module, the Maxmind free database only updated once per month and the Maxmind folks were not keen on thousands of pfSense Suricata installs hitting their server daily or even hourly for some folks 😁. Thus the decision to just check once per month about a week past the first of the month.

                      N 1 Reply Last reply Reply Quote 1
                      • N
                        ngr2001 @bmeeks
                        last edited by

                        @bmeeks

                        Makes sense.

                        Auto-updates are def working as expected now. To your point I adjusted my frequency to weekly, every Saturday at 4am. I think Maxmind pushes updates every Tuesday & Friday.

                        cffaed5b-4c49-4cff-aca1-34032b216f29-image.png

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.