<div>Hey everyone, <br></div><div><br></div><div>I recently installed Suricata on a Raspberry Pi 3 using the Briar IDS - <a href="https://github.com/musicmancorley/BriarIDS">https://github.com/musicmancorley/BriarIDS</a><br></div><div><br></div><div>I then attempted to install Suricata-Update, however, and am running into issues, I suspect because Briar installed <span><b>suricata-4.0.4</b></span> in /usr/local/src but auto-update is in <span><b>/var/lib/suricata</b></span>. Suricata stops running every day instead of updating, and I have to relaunch the program manually. It does not have any issues collecting traffic when I relaunch. </div><div><br></div><div>It fails to locate the binary for Suricata and gives me the error "<span>No distribution rule directory found" </span>but has been able to update my rulesets in <span><b>/usr/local/src/suricata-4.0.4/rules. </b>Do I need to move my config file?   </span></div><div><br></div><div>When I run verbose mode, I get the following output:<br></div><p><span>sudo suricata-update -v</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- This is suricata-update version 1.0.3 (rev: 8a782d4); Python: 2.7.13 (default, Sep 26 2018, 18:42:22) - [GCC 6.3.0 20170516]</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value force -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value verbose -> True</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value enable -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value no-merge -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value version -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value dump-sample-configs -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value no-test -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value subcommand -> update</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value modify -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value no-reload -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value no-ignore -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value disable -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value etopen -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value now -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value url -> []</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value drop -> False</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting configuration value ignore -> []</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /usr/local/sbin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /usr/local/bin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /usr/sbin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /usr/bin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /sbin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Looking for suricata in /bin</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Warning</span><span>> -- </span><span>No suricata application binary found on path.</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Info</span><span>> -- Using default Suricata version of 4.0.0</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Info</span><span>> -- No sources configured, will use Emerging Threats Open</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Info</span><span>> -- Checking <a href="https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz.md5">https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz.md5</a>.</span><br></p><p><span>19/1/2019 -- 21:27:28</span><span> - <</span><span>Debug</span><span>> -- Setting HTTP User-Agent to Suricata-Update/1.0.3 (OS: Linux; CPU: armv7l; Python: 2.7.13; Dist: debian/9.6; Suricata: 4.0.0)</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Debug</span><span>> -- Local checksum=|x|; remote checksum=|x|</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Info</span><span>> -- Remote checksum has not changed. Not fetching.</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Warning</span><span>> -- </span><span>No distribution rule directory found.</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-mobile_malware.rules.</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-icmp.rules.</span><br></p><p><span>19/1/2019 -- 21:27:29</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/tor.rules.</span><br></p><p><span>19/1/2019 -- 21:27:30</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-activex.rules.</span><br></p><p><span>19/1/2019 -- 21:27:30</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-icmp_info.rules.</span><br></p><p><span>19/1/2019 -- 21:27:30</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-policy.rules.</span><br></p><p><span>19/1/2019 -- 21:27:31</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-pop3.rules.</span><br></p><p><span>19/1/2019 -- 21:27:31</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-shellcode.rules.</span><br></p><p><span>19/1/2019 -- 21:27:31</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-attack_response.rules.</span><br></p><p><span>19/1/2019 -- 21:27:31</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-trojan.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-dns.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-telnet.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-scada.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-misc.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/dshield.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-sql.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-inappropriate.rules.</span><br></p><p><span>19/1/2019 -- 21:27:36</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-web_server.rules.</span><br></p><p><span>19/1/2019 -- 21:27:37</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-web_specific_apps.rules.</span><br></p><p><span>19/1/2019 -- 21:27:42</span><span> - <</span><span>Debug</span><span>> -- Parsing rules/emerging-user_agents.rules.</span><br></p><div><br></div><div>Thank you so much in advance for any advice on this. I have read through previous forum postings and have gathered that Suricata's Auto-Update can kill traffic collection if improperly configured. <br></div><div><br></div><div><br></div><div>Sincerely,<br></div><div>Paul</div><div><br></div><div class="protonmail_signature_block"><div class="protonmail_signature_block-user">Sent from <a href="https://protonmail.ch">ProtonMail</a>, encrypted email based in Switzerland.<br></div><div><br></div><div class="protonmail_signature_block-proton">Sent with <a target="_blank" href="https://protonmail.com">ProtonMail</a> Secure Email.<br></div></div><div><br></div>