Hi all,
For a while now I have been experiencing an issue when running suricata-update on my home instance running on a Raspberry Pi4.
The suricata-update process fails because there is no space left on the /tmp device during the backup of the existing rules. After checking, I noticed that the files under /var/lib/suricata/rules/datasets are creating the problem. These files are copied to /tmp during the update process. Some of those files that are more than 6 months old.
My /tmp is a very small tmpfs to limit the load on my sdcard. It used to be 128 MB but over time I had to increase it to 1 GB to work around the issue.
What version of Suricata are you running? Suricata 7.0.4 included an update to Suricata-Update that fixed creating a new dataset file every time they were downloaded. If running an older version, I suggest you upgrade.
You can then safely delete those dataset files (assuming the ones that use a hash as the filename) and re-run Suricata-Update. Orphaned dataset files will still get left over time, but you won’t see growth after after everytime, and I plan to fix the orphaned files lingering as well.
Thank you for your response. I am using 6.0.20. I will definitely consider the upgrade, especially considering that 6.0.20 will be the last release in the branch, but this needs a bit of testing and I do not have much time for that right now.
Do I understand from your message that I can safely erase the orphaned datasets? How can I tell which datasets are orphaned?