Error to update rules suricata (suricata version =>8.0.0-dev (2c0d3b83c 2024-12-13)

a_m · March 23, 2025, 7:11pm

hello,
i don’t know how if have to write topic in help category or rules category.but i whow my problem:

alexandre@alexandre-Matebook:~/Documents$ cat ./suricata-update-script.sh 
#!/bin/bash

# Mise à jour des règles Suricata
 suricata-update

# Copie des règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules

# Association des accès du dossier à l'utilisateur et groupe suricata
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/

# Attribution des bonnes permissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
sudo chmod 755 /usr/share/suricata/rules/suricata.rules

sudo find / -path /home -prune -o -name "*suricata*" -type d -exec chmod 755 {} \; -exec chown suricata:suricata {} \;
sudo find / -path /home -prune -o -name "*suricata*" -type f -exec chmod 755 {} \; -exec chown suricata:suricata {} \;


# Redémarrage des services Suricata
sudo systemctl daemon-reload
sudo systemctl restart suricata.service

alexandre@alexandre-Matebook:~/Documents$ sudo ./suricata-update-script.sh 
23/3/2025 -- 20:08:14 - <Info> -- Using data-directory /usr/var/lib/suricata.
23/3/2025 -- 20:08:14 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
23/3/2025 -- 20:08:14 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
23/3/2025 -- 20:08:14 - <Info> -- Found Suricata version 8.0.0-dev at /usr/bin/suricata.
23/3/2025 -- 20:08:14 - <Info> -- Loading /etc/suricata/suricata.yaml
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol pgsql
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol modbus
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol dnp3
23/3/2025 -- 20:08:14 - <Info> -- Disabling rules for protocol enip
23/3/2025 -- 20:08:14 - <Info> -- No sources configured, will use Emerging Threats Open
23/3/2025 -- 20:08:14 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-8.0.0/emerging.rules.tar.gz.
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
23/3/2025 -- 20:08:15 - <Info> -- Ignoring file b3a62191660c4b770056372c69bc7439/rules/emerging-deleted.rules
23/3/2025 -- 20:08:18 - <Info> -- Loaded 57764 rules.
23/3/2025 -- 20:08:18 - <Info> -- Disabled 13 rules.
23/3/2025 -- 20:08:18 - <Info> -- Enabled 0 rules.
23/3/2025 -- 20:08:18 - <Info> -- Modified 0 rules.
23/3/2025 -- 20:08:18 - <Info> -- Dropped 0 rules.
23/3/2025 -- 20:08:19 - <Info> -- Enabled 136 rules for flowbit dependencies.
23/3/2025 -- 20:08:19 - <Info> -- Backing up current rules.
23/3/2025 -- 20:08:23 - <Info> -- Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 57764; enabled: 42575; added: 121; removed 1; modified: 1296
23/3/2025 -- 20:08:23 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
23/3/2025 -- 20:08:24 - <Info> -- Testing with suricata -T.
23/3/2025 -- 20:08:27 - <Error> -- fast_pattern cannot be used with base64_data
23/3/2025 -- 20:08:27 - <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS xml-crypto / Node.js SAML Authentication Bypass Forged DigestValue Comment (CVE-2025-29775)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response"; content:"|3c|DigestValue|3e 3c 21 2d 2d|"; fast_pattern; pcre:"/^[A-Za-z0-9\x2b\x2f]+\x3d*\x2d\x2d\x3e[A-Za-z0-9\x2b\x2f]+\x3d*\x3c\x2fds\x3aDigestValue\x3e/R"; reference:url,workos.com/blog/samlstorm; reference:cve,2025-29775; classtype:web-application-attack; sid:2060960; rev:1; metadata:affected_product Node_js, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_19, cve CVE_2025_29775, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)" from file /usr/var/lib/suricata/rules/suricata.rules at line 56633
23/3/2025 -- 20:08:27 - <Error> -- fast_pattern cannot be used with base64_data
23/3/2025 -- 20:08:27 - <Error> -- error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS xml-crypto SAML Authentication Bypass Multiple SignedInfo References (CVE-2025-29774)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response"; content:"|3c|SignedInfo|3e|"; fast_pattern; content:"|3c|SignedInfo|3e|"; distance:0; reference:url,github.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g; reference:cve,2025-29774; classtype:web-application-attack; sid:2060961; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_19, cve CVE_2025_29774, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)" from file /usr/var/lib/suricata/rules/suricata.rules at line 56634
23/3/2025 -- 20:08:27 - <Error> -- Loading signatures failed.
23/3/2025 -- 20:08:27 - <Error> -- Suricata test failed, aborting.
23/3/2025 -- 20:08:27 - <Error> -- Restoring previous rules.
find: ‘/run/user/1000/gvfs’: Permission non accordée
find: ‘/run/user/1000/doc’: Permission non accordée
find: ‘/tmp/.mount_jetbraCHtaVt’: Permission non accordée
find: ‘/run/user/1000/gvfs’: Permission non accordée
find: ‘/run/user/1000/doc’: Permission non accordée
find: ‘/tmp/.mount_jetbraCHtaVt’: Permission non accordée

```,
here my configuration :`alexandre@alexandre-Matebook:~/Documents$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 --user suricata --group suricata 
Notice: suricata: This is Suricata version 8.0.0-dev (2c0d3b83c 2024-12-13) running in SYSTEM mode [LogVersion:suricata.c:1152]
^C^C^C^C^C^C^C^C^C^C^C^C^C^C^CError: nfq: nfq_create_queue failed [NFQInitThread:source-nfq.c:639]
Error: nfq: nfq thread failed to initialize [ReceiveNFQThreadInit:source-nfq.c:742]
alexandre@alexandre-Matebook:~/Documents$ 
alexandre@alexandre-Matebook:~/Documents$ uname -r 
6.10.12-061012-generic
alexandre@alexandre-Matebook:~/Documents$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.2 LTS
Release:	24.04
Codename:	noble
alexandre@alexandre-Matebook:~/Documents$ `

could you help me ?
Regards

vjulien · March 24, 2025, 5:44am

Please use the current git master and try again. We can’t support random old snapshots of it.

a_m · March 24, 2025, 10:42am

i just did git pull on master branch !

Topic		Replies	Views
Permissions in /var/lib/suricata to update rules as suricata user Help rules	2	360	April 6, 2024
/tmp/tmpm296mhk5/fast.log\ permission denied Rules	18	107	March 23, 2025
<Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/local.rules Help	4	8830	December 19, 2023
Suricata not loading rules Help	6	2607	May 4, 2021
Ubuntu. No such directory. [ERRCODE: SC_ERR_NO_RULES(42)] Help	6	2619	January 27, 2021

Error to update rules suricata (suricata version =>8.0.0-dev (2c0d3b83c 2024-12-13)

Related topics