Running suricata-update


Quick question… When running “suricata-update” it is required to restart suricata.service to apply the changes?


Hi Nuno,

Once Suricata has started, it won’t reload the rules unless it’s told to do so. For that, you can either issue a rule reload command check 7.3. Rule Reloads — Suricata 6.0.4 documentation) or you can restart Suricata.

(For anyone interested, Josh Stroschein did a quick introduction to Rule management with Suricata-update that covers how to use it with pcap mode, but also mentions things like that - closer to the end of the video - Getting Started with Suricata-Update: Managing rule sets and sources - YouTube)

Does that answer your question?

1 Like

Sure. Many thanks!!!

The ideia was to create a script that runs “suricata-update” every day.

So, according to what you told me, i must indicate the script to run suricata-update and then reload or restart suricata.

You’re welcome!

And I would say your reasoning is correct, yes. :slight_smile:

You can also create a /etc/suricasta/update.yaml and put your reload command in there, see: suricata-update - Update — suricata-update 1.3.0dev0 documentation

The reload will then be handled by suricata-update only if there was a change to the rules. The example in that config assumes Systemd has been setup to send a SIGUSR2 on reload, but you could replace it with the suricatasc command.

1 Like

Thank you! It worked perfectly.

What is the main difference between suricatasc -c reload-rules and suricatasc -c ruleset-reload-nonblocking ?

Which one is recommended?

reload-rules-nonblocking issues the reload and immediately returns. Both are equivalent otherwise. The answer will depend on your deployment needs. If the reload is initiated through a tool, it doesn’t really matter.

1 Like