[Oisf-users] Properly installing Suricata-Update on latest version of Suricata

[Jason Ish]

On 2019-02-10 12:22 p.m., 419telegraph298 at protonmail.com wrote:
> Thanks for the suggestion - I was able to launch auto update with  ~/.local/bin/suricata-update
> 
> 
> 
> It created a separate rules file from my default at /etc/suricata/rules and then ran into an error:
> 
> 10/2/2019 -- 18:17:54 - <Info> -- Creating directory /var/lib/suricata/rules.
> 10/2/2019 -- 18:17:54 - <Info> -- Backing up current rules.
> 10/2/2019 -- 18:17:55 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 26952; enabled: 19552; added: 26952; removed 0; modified: 0
> 10/2/2019 -- 18:17:56 - <Info> -- Testing with suricata -T.
> 10/2/2019 -- 18:19:11 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCMalloc failed: Cannot allocate memory, while trying to allocate 16131584 bytes
> 10/2/2019 -- 18:19:13 - <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Out of memory. The engine cannot be initialized. Exiting...
> 10/2/2019 -- 18:19:16 - <Error> -- Suricata test failed, aborting.
> 10/2/2019 -- 18:19:16 - <Error> -- Restoring previous rules.

Its at this stage where a second Suricata instance is fired up to
validate that the rules will reload correctly.  You can try two things here:

1) suricata-update -q

"-q" will make suricata-update run in quiet mode. This does decrease the
amount of memory used.  We're also actively working on making
suricata-update use less memory, but that work isn't ready yet.

If you still get the out of memory, you can:

2) suricata-update --no-test

This will disable firing up Suricata to test the rules.

Regarding your other email about CPU usage, you could use the 'nice'
command to not use as much CPU at once.

Jason