[Oisf-users] Properly installing Suricata-Update on latest version of Suricata
419telegraph298 at protonmail.com
419telegraph298 at protonmail.com
Mon Feb 11 02:52:30 UTC 2019
Hey, thanks for the help! The auto-update loaded properly, I now just have to change the default rules path in the config from /etc/suricata to /var/lib/suricata/rules/suricata.rules .
I am however, having issues getting alerts generated - despite going on checkmyids.com, using Tor, and running wget testmyids.com and nmap from my pi w/ Suricata on it, nothing has been added to alerts:
-rw-r----- 1 root root 137974147 Feb 11 02:52 eve.json
-rw-r----- 1 root root 315811 Feb 3 06:25 eve.json.1.gz
-rw-r----- 1 root root 0 Feb 3 06:25 fast.log
-rw-r----- 1 root root 20 Feb 1 13:17 fast.log.1.gz
-rw-r--r-- 1 root root 39 Jan 15 2007 index.html
-rw-r----- 1 root root 73312955 Feb 11 02:52 stats.log
-rw-r----- 1 root root 212177 Feb 3 06:25 stats.log.1.gz
-rw-r--r-- 1 root root 1345 Feb 10 18:19 suricata.log
-rw-r--r-- 1 root root 487 Feb 2 06:26 suricata.log.1.gz
Sent from ProtonMail, encrypted email based in Switzerland.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, February 10, 2019 4:56 PM, Jason Ish <jason.ish at oisf.net> wrote:
> On 2019-02-10 12:22 p.m., 419telegraph298 at protonmail.com wrote:
>
> > Thanks for the suggestion - I was able to launch auto update with ~/.local/bin/suricata-update
> > It created a separate rules file from my default at /etc/suricata/rules and then ran into an error:
> > 10/2/2019 -- 18:17:54 - <Info> -- Creating directory /var/lib/suricata/rules.
> > 10/2/2019 -- 18:17:54 - <Info> -- Backing up current rules.
> > 10/2/2019 -- 18:17:55 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 26952; enabled: 19552; added: 26952; removed 0; modified: 0
> > 10/2/2019 -- 18:17:56 - <Info> -- Testing with suricata -T.
> > 10/2/2019 -- 18:19:11 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCMalloc failed: Cannot allocate memory, while trying to allocate 16131584 bytes
> > 10/2/2019 -- 18:19:13 - <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Out of memory. The engine cannot be initialized. Exiting...
> > 10/2/2019 -- 18:19:16 - <Error> -- Suricata test failed, aborting.
> > 10/2/2019 -- 18:19:16 - <Error> -- Restoring previous rules.
>
> Its at this stage where a second Suricata instance is fired up to
> validate that the rules will reload correctly. You can try two things here:
>
> 1. suricata-update -q
>
> "-q" will make suricata-update run in quiet mode. This does decrease the
> amount of memory used. We're also actively working on making
> suricata-update use less memory, but that work isn't ready yet.
>
> If you still get the out of memory, you can:
>
> 2. suricata-update --no-test
>
> This will disable firing up Suricata to test the rules.
>
> Regarding your other email about CPU usage, you could use the 'nice'
> command to not use as much CPU at once.
>
> Jason
>
More information about the Oisf-users
mailing list