Error to update rules suricata (suricata version =>8.0.0-dev (2c0d3b83c 2024-12-13)

a_m · March 23, 2025, 7:11pm

hello,
i don’t know how if have to write topic in help category or rules category.but i know my problem:

alexandre@alexandre-Matebook:~/Documents$ cat ./suricata-update-script.sh 
#!/bin/bash

# Mise à jour des règles Suricata
 suricata-update

# Copie des règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules

# Association des accès du dossier à l'utilisateur et groupe suricata
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/

# Attribution des bonnes permissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
sudo chmod 755 /usr/share/suricata/rules/suricata.rules

sudo find / -path /home -prune -o -name "*suricata*" -type d -exec chmod 755 {} \; -exec chown suricata:suricata {} \;
sudo find / -path /home -prune -o -name "*suricata*" -type f -exec chmod 755 {} \; -exec chown suricata:suricata {} \;


# Redémarrage des services Suricata
sudo systemctl daemon-reload
sudo systemctl restart suricata.service

alexandre@alexandre-Matebook:~/Documents$ sudo ./suricata-update-script.sh 
23/3/2025 -- 20:08:14 - <Info> -- Using data-directory /usr/var/lib/suricata.
23/3/2025 -- 20:08:14 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
23/3/2025 -- 20:08:14 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
23/3/2025 -- 20:08:14 - <Info> -- Found Suricata version 8.0.0-dev at /usr/bin/suricata.
23/3/2025 -- 20:08:14 - <Info> -- Loading /etc/suricata/suricata.yaml
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol pgsql
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol modbus
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol dnp3
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol enip
23/3/2025 -- 20:08:14 - <Info> -- No sources configured, will use Emerging Threats Open
23/3/2025 -- 20:08:14 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-8.0.0/emerging.rules.tar.gz.
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Ignoring file b3a62191660c4b770056372c69bc7439/rules/emerging-deleted.rules
23/3/2025 -- 20:08:18 - <Info> -- Loaded 57764 rules.
23/3/2025 -- 20:08:18 - <Info> -- Disabled 13 rules.
23/3/2025 -- 20:08:18 - <Info> -- Enabled 0 rules.
23/3/2025 -- 20:08:18 - <Info> -- Modified 0 rules.
23/3/2025 -- 20:08:18 - <Info> -- Dropped 0 rules.
23/3/2025 -- 20:08:19 - <Info> -- Enabled 136 rules for flowbit dependencies.
23/3/2025 -- 20:08:19 - <Info> -- Backing up current rules.
23/3/2025 -- 20:08:23 - <Info> -- Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 57764; enabled: 42575; added: 121; removed 1; modified: 1296
23/3/2025 -- 20:08:23 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
23/3/2025 -- 20:08:24 - <Info> -- Testing with suricata -T.
23/3/2025 -- 20:08:27 - <Error> -- fast_pattern cannot be used with base64_data
23/3/2025 -- 20:08:27 - <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS xml-crypto / Node.js SAML Authentication Bypass Forged DigestValue Comment (CVE-2025-29775)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response"; content:"|3c|DigestValue|3e 3c 21 2d 2d|"; fast_pattern; pcre:"/^[A-Za-z0-9\x2b\x2f]+\x3d*\x2d\x2d\x3e[A-Za-z0-9\x2b\x2f]+\x3d*\x3c\x2fds\x3aDigestValue\x3e/R"; reference:url,workos.com/blog/samlstorm; reference:cve,2025-29775; classtype:web-application-attack; sid:2060960; rev:1; metadata:affected_product Node_js, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_19, cve CVE_2025_29775, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)" from file /usr/var/lib/suricata/rules/suricata.rules at line 56633
23/3/2025 -- 20:08:27 - <Error> -- fast_pattern cannot be used with base64_data
23/3/2025 -- 20:08:27 - <Error> -- error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS xml-crypto SAML Authentication Bypass Multiple SignedInfo References (CVE-2025-29774)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response"; content:"|3c|SignedInfo|3e|"; fast_pattern; content:"|3c|SignedInfo|3e|"; distance:0; reference:url,github.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g; reference:cve,2025-29774; classtype:web-application-attack; sid:2060961; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_19, cve CVE_2025_29774, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)" from file /usr/var/lib/suricata/rules/suricata.rules at line 56634
23/3/2025 -- 20:08:27 - <Error> -- Loading signatures failed.
23/3/2025 -- 20:08:27 - <Error> -- Suricata test failed, aborting.
23/3/2025 -- 20:08:27 - <Error> -- Restoring previous rules.
find: ‘/run/user/1000/gvfs’: Permission non accordée
find: ‘/run/user/1000/doc’: Permission non accordée
find: ‘/tmp/.mount_jetbraCHtaVt’: Permission non accordée
find: ‘/run/user/1000/gvfs’: Permission non accordée
find: ‘/run/user/1000/doc’: Permission non accordée
find: ‘/tmp/.mount_jetbraCHtaVt’: Permission non accordée

```,
here my configuration :`alexandre@alexandre-Matebook:~/Documents$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 --user suricata --group suricata 
Notice: suricata: This is Suricata version 8.0.0-dev (2c0d3b83c 2024-12-13) running in SYSTEM mode [LogVersion:suricata.c:1152]
^C^C^C^C^C^C^C^C^C^C^C^C^C^C^CError: nfq: nfq_create_queue failed [NFQInitThread:source-nfq.c:639]
Error: nfq: nfq thread failed to initialize [ReceiveNFQThreadInit:source-nfq.c:742]
alexandre@alexandre-Matebook:~/Documents$ 
alexandre@alexandre-Matebook:~/Documents$ uname -r 
6.10.12-061012-generic
alexandre@alexandre-Matebook:~/Documents$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.2 LTS
Release:	24.04
Codename:	noble
alexandre@alexandre-Matebook:~/Documents$ `

could you help me ?
Regards

vjulien · March 24, 2025, 5:44am

Please use the current git master and try again. We can’t support random old snapshots of it.

a_m · March 24, 2025, 10:42am

i just aldready did git pull on master branch !

a_m · April 7, 2025, 9:05am

hello,
now it works !

a_m · August 9, 2025, 11:32am

hello i’ve sill the error, see my commands with feedbacks:

aragon@fdqfgsfdgdfs:~$ uname -r6.5.0-060500-genericaragon@fdqfgsfdgdfs:~$ lsb_release -aNo LSB modules are available.Distributor ID:	UbuntuDescription:	Ubuntu 24.04.3 LTSRelease:	24.04Codename:	noblearagon@fdqfgsfdgdfs:~$ sudo suricata -vSuricata 8.0.1-dev (2e69e0d5c 2025-07-14)USAGE: suricata [OPTIONS] [BPF FILTER]

General:-v                                   : be more verbose (use multiple times to increase verbosity)-c                             : path to configuration file-l                              : default log directory–include                      : additional configuration file–set name=value                     : set a configuration value–pidfile                      : write pid to this file-T                                   : test configuration file (use with -c)–init-errors-fatal                  : enable fatal failure on signature init error-D                                   : run as daemon–user                         : run suricata as this user after init–group                       : run suricata as this group after init–unix-socket[=]               : use unix socket to control suricata work–runmode <runmode_id>               : specific runmode modification the engine should run.  The argumentsupplied should be the id for the runmode obtained by running–list-runmodes

Capture and IPS:-F                  : bpf filter file-k [all|none]                        : force checksum check (all) or disabled it (none)-i                        : run in pcap live mode–pcap[=]                       : run in pcap mode, no value select interfaces from suricata.yaml–pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647-q <qid[:qid]>                       : run in inline nfqueue mode (use colon to specify a range of queues)–af-packet[=]                  : run in af-packet mode, no value select interfaces from suricata.yaml–reject-dev                    : send reject packets from this interface

Capture Files:-r                             : run in pcap file/offline mode–pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted–pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done–pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)–pcap-file-buffer-size              : set read buffer size (setvbuf)–erf-in                       : process an ERF file

Detection:-s                             : path to signature file loaded in addition to suricata.yaml settings (optional)-S                             : path to signature file loaded exclusively (optional)–disable-detection                  : disable detection engine–engine-analysis                    : print reports on analysis of different sections in the engine and exit.Please have a look at the conf parameter engine-analysis on what reportscan be printed

Firewall:–firewall                           : enable firewall mode–firewall-rules-exclusive=    : path to firewall rule file loaded exclusively

Info:-V                                   : display Suricata version–list-keywords[=all|csv|]    : list keywords implemented by the engine–list-runmodes                      : list supported runmodes–list-app-layer-protos              : list supported app layer protocols–list-app-layer-hooks               : list supported app layer hooks for use in rules–dump-config                        : show the running configuration–dump-features                      : display provided features–build-info                         : display build information

Testing:–simulate-ips                       : force engine into IPS mode. Useful for QA-u                                   : run the unittests and exit-U=REGEX, --unittest-filter=REGEX    : filter unittests with a pcre compatible regex–list-unittests                     : list unit tests–fatal-unittests                    : enable fatal failure on unittest error–unittests-coverage                 : display unittest coverage report

To run Suricata with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:

suricata -c suricata.yaml -s signatures.rules -i eth0

aragon@fdqfgsfdgdfs:~$ sudo suricata-update9/8/2025 – 13:31:53 -  – Using data-directory /usr/var/lib/suricata.9/8/2025 – 13:31:53 -  – Using Suricata configuration /etc/suricata/suricata.yaml9/8/2025 – 13:31:53 -  – Using /usr/share/suricata/rules for Suricata provided rules.9/8/2025 – 13:31:53 -  – Found Suricata version 8.0.1-dev at /usr/bin/suricata.9/8/2025 – 13:31:53 -  – Loading /etc/suricata/suricata.yaml9/8/2025 – 13:31:53 -  – Disabling rules for protocol modbus9/8/2025 – 13:31:53 -  – Disabling rules for protocol dnp39/8/2025 – 13:31:53 -  – Disabling rules for protocol enip9/8/2025 – 13:31:53 -  – No sources configured, will use Emerging Threats Open9/8/2025 – 13:31:53 -  – Checking https://rules.emergingthreats.net/open/suricata-8.0.1/emerging.rules.tar.gz.md5.9/8/2025 – 13:31:53 -  – Fetching https://rules.emergingthreats.net/open/suricata-8.0.1/emerging.rules.tar.gz.100% - 5010597/50105979/8/2025 – 13:31:55 -  – Done.9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/dns-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/files.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/http2-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/http-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/quic-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/smb-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/stream-events.rules9/8/2025 – 13:31:55 -  – Loading distribution rule file /usr/share/suricata/rules/tls-events.rules9/8/2025 – 13:31:55 -  – Ignoring file 7b26068ce7bef3a8830c5227122c8e0d/rules/emerging-deleted.rules9/8/2025 – 13:31:57 -  – Loaded 60364 rules.9/8/2025 – 13:31:57 -  – Disabled 13 rules.9/8/2025 – 13:31:57 -  – Enabled 0 rules.9/8/2025 – 13:31:57 -  – Modified 0 rules.9/8/2025 – 13:31:57 -  – Dropped 0 rules.9/8/2025 – 13:31:57 -  – Enabled 136 rules for flowbit dependencies.9/8/2025 – 13:31:57 -  – Backing up current rules.9/8/2025 – 13:31:59 -  – Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 60364; enabled: 44585; added: 373; removed 12; modified: 25899/8/2025 – 13:31:59 -  – Writing /usr/var/lib/suricata/rules/classification.config9/8/2025 – 13:31:59 -  – Testing with suricata -T.9/8/2025 – 13:32:00 -  – Error opening file: “/tmp/tmpmf4f2z7t/fast.log”: Permission denied9/8/2025 – 13:32:00 -  – output module “fast”: setup failed9/8/2025 – 13:32:00 -  – Suricata test failed, aborting.9/8/2025 – 13:32:00 -  – Restoring previous rules.aragon@fdqfgsfdgdfs:~$

Regards

Alexandre