[Oisf-users] Properly installing Suricata-Update on latest version of Suricata

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Mon Feb 11 02:52:30 UTC 2019 

Hey, thanks for the help! The auto-update loaded properly, I now just have to change the default rules path in the config from /etc/suricata to /var/lib/suricata/rules/suricata.rules .

I am however, having issues getting alerts generated - despite going on checkmyids.com, using Tor, and running wget testmyids.com and nmap from my pi w/ Suricata on it, nothing has been added to alerts:

-rw-r-----  1 root root 137974147 Feb 11 02:52 eve.json
-rw-r-----  1 root root    315811 Feb  3 06:25 eve.json.1.gz
-rw-r-----  1 root root         0 Feb  3 06:25 fast.log
-rw-r-----  1 root root        20 Feb  1 13:17 fast.log.1.gz
-rw-r--r--  1 root root        39 Jan 15  2007 index.html
-rw-r-----  1 root root  73312955 Feb 11 02:52 stats.log
-rw-r-----  1 root root    212177 Feb  3 06:25 stats.log.1.gz
-rw-r--r--  1 root root      1345 Feb 10 18:19 suricata.log
-rw-r--r--  1 root root       487 Feb  2 06:26 suricata.log.1.gz


Sent from ProtonMail, encrypted email based in Switzerland.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, February 10, 2019 4:56 PM, Jason Ish <jason.ish at oisf.net> wrote:

> On 2019-02-10 12:22 p.m., 419telegraph298 at protonmail.com wrote:
>
> > Thanks for the suggestion - I was able to launch auto update with ~/.local/bin/suricata-update
> > It created a separate rules file from my default at /etc/suricata/rules and then ran into an error:
> > 10/2/2019 -- 18:17:54 - <Info> -- Creating directory /var/lib/suricata/rules.
> > 10/2/2019 -- 18:17:54 - <Info> -- Backing up current rules.
> > 10/2/2019 -- 18:17:55 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 26952; enabled: 19552; added: 26952; removed 0; modified: 0
> > 10/2/2019 -- 18:17:56 - <Info> -- Testing with suricata -T.
> > 10/2/2019 -- 18:19:11 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCMalloc failed: Cannot allocate memory, while trying to allocate 16131584 bytes
> > 10/2/2019 -- 18:19:13 - <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Out of memory. The engine cannot be initialized. Exiting...
> > 10/2/2019 -- 18:19:16 - <Error> -- Suricata test failed, aborting.
> > 10/2/2019 -- 18:19:16 - <Error> -- Restoring previous rules.
>
> Its at this stage where a second Suricata instance is fired up to
> validate that the rules will reload correctly. You can try two things here:
>
> 1.  suricata-update -q
>
>     "-q" will make suricata-update run in quiet mode. This does decrease the
>     amount of memory used. We're also actively working on making
>     suricata-update use less memory, but that work isn't ready yet.
>
>     If you still get the out of memory, you can:
>
> 2.  suricata-update --no-test
>
>     This will disable firing up Suricata to test the rules.
>
>     Regarding your other email about CPU usage, you could use the 'nice'
>     command to not use as much CPU at once.
>
>     Jason
>

More information about the Oisf-users mailing list