Signature rule not loaded

Hello
I have just set up Suricata for the first time with suricata-update and I am pretty disappointed to see this error:

mars 20 16:13:33 datasecu suricata[15471]: 20/3/2020 -- 16:13:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern suricata.rules
mars 20 16:13:33 datasecu suricata[15471]: 20/3/2020 -- 16:13:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!

It sounds like nothing match the signatures which are in the suricata.rules…
Anyone can help me?

Hello. Can you tell us a little bit more how you installed Suricata?

Also, try add “-vvv” when running Suricata, that should log the rule that it is trying to load. You might want to verify that against the file that suricata-update is writing, to make sure it is loading the same file.

The “-vvv” gave me nothing more than the “systemctl -l:frowning:
Below an extract:

20/3/2020 -- 18:32:49 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
20/3/2020 -- 18:32:49 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
20/3/2020 -- 18:32:49 - <Config> - prefilter engines: MPM
20/3/2020 -- 18:32:49 - <Config> - IP reputation disabled
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern suricata.rules
20/3/2020 -- 18:32:49 - <Config> - No rules loaded from suricata.rules.
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures.rules
20/3/2020 -- 18:32:49 - <Config> - No rules loaded from signatures.rules
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 2 rule files specified, but no rule was loaded at all!
20/3/2020 -- 18:32:49 - <Info> - Threshold config parsed: 0 rule(s) found
20/3/2020 -- 18:32:49 - <Perf> - using shared mpm ctx' for tcp-packet
20/3/2020 -- 18:32:49 - <Perf> - using shared mpm ctx' for tcp-stream

Well, I assume that something goes wrong with suricata.rules (due to my poor knowledge) created by suricata-update and the suricata engine: rules are downloaded from a local repository (no internet access) and suricata.rules is correct from my point of vue (I verified that one signature from ET is included in suricata.rules after running the update).

But, according to the ERROR message, nothing is loaded when I run suricata: what can keep suricata from loading the signatures included in the /var/lib/suricata/rules/suricata.rules? have I misted a parameter in the conf?

Thanks for your help!

Make sure that /var/lib/suricata/rules/suricata.rules exists and has rules in it. Then check that Suricata is loading that file, in your suricata.yaml you should see something like:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules
1 Like

Well… humm… I changed /var/lib/suricata/rules to ‘744’ and it works (previously in ‘644’ :unamused: ).
Sorry for your times reading my divagation, I am used to work with Microsoft and vendor appliances… not with Linux! but I am working on it :wink:

1 Like

No problem. Typically you’d use 755 for a directory, and 644 for files, or some variation on that depending on your needs.

I am having this same issue and the steps above didn’t work. Suricata should run under user/group suri/suri. I got some errors in the beginning that stemmed from the user suri not being owner of the file. I fixed that by changing the group to suri and set permissions to 664 on the files and directories it mentioned.

I am now getting the error mentioned above when running suricata -T. Here is the information I think is relavant:

From YAML file:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules

From Suricata -Tvvv:

root@suricata:/etc/suricata# suricata -Tvvv
3/12/2021 -- 17:59:34 - <Info> - Running suricata under test mode
3/12/2021 -- 17:59:34 - <Notice> - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
3/12/2021 -- 17:59:34 - <Info> - CPUs/cores online: 4
3/12/2021 -- 17:59:34 - <Config> - luajit states preallocated: 128
3/12/2021 -- 17:59:34 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31533 and 'request-body-inspect-window' set to 3991 after randomization.
3/12/2021 -- 17:59:34 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40133 and 'response-body-inspect-window' set to 15615 after randomization.
3/12/2021 -- 17:59:34 - <Config> - SMB stream depth: 0
3/12/2021 -- 17:59:34 - <Config> - Protocol detection and parser disabled for modbus protocol.
3/12/2021 -- 17:59:34 - <Config> - Protocol detection and parser disabled for enip protocol.
3/12/2021 -- 17:59:34 - <Config> - Protocol detection and parser disabled for DNP3.
3/12/2021 -- 17:59:34 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
3/12/2021 -- 17:59:34 - <Config> - preallocated 1000 hosts of size 136
3/12/2021 -- 17:59:34 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
3/12/2021 -- 17:59:34 - <Config> - Core dump size set to unlimited.
3/12/2021 -- 17:59:34 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
3/12/2021 -- 17:59:34 - <Config> - preallocated 65535 defrag trackers of size 160
3/12/2021 -- 17:59:34 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432
3/12/2021 -- 17:59:34 - <Config> - flow size 320, memcap allows for 419430 flows. Per hash row in perfect conditions 6
3/12/2021 -- 17:59:34 - <Config> - stream "prealloc-sessions": 2048 (per thread)
3/12/2021 -- 17:59:34 - <Config> - stream "memcap": 67108864
3/12/2021 -- 17:59:34 - <Config> - stream "midstream" session pickups: disabled
3/12/2021 -- 17:59:34 - <Config> - stream "async-oneside": disabled
3/12/2021 -- 17:59:34 - <Config> - stream "checksum-validation": enabled
3/12/2021 -- 17:59:34 - <Config> - stream."inline": disabled
3/12/2021 -- 17:59:34 - <Config> - stream "bypass": disabled
3/12/2021 -- 17:59:34 - <Config> - stream "max-synack-queued": 5
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly "memcap": 268435456
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly "depth": 1048576
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly "toserver-chunk-size": 2627
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly "toclient-chunk-size": 2577
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly.raw: enabled
3/12/2021 -- 17:59:34 - <Config> - stream.reassembly "segment-prealloc": 2048
3/12/2021 -- 17:59:34 - <Info> - dropped the caps for main thread
3/12/2021 -- 17:59:34 - <Info> - fast output device (regular) initialized: fast.log
3/12/2021 -- 17:59:34 - <Info> - eve-log output device (regular) initialized: eve.json
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'alert'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'anomaly'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'http'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'dns'
3/12/2021 -- 17:59:34 - <Config> - eve-log dns version not set, defaulting to version 2
3/12/2021 -- 17:59:34 - <Config> - eve-log dns version not set, defaulting to version 2
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'tls'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'files'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'smtp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'ftp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'rdp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'nfs'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'smb'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'tftp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'ikev2'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'dcerpc'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'krb5'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'snmp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'rfb'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'sip'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'dhcp'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'ssh'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'mqtt'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'stats'
3/12/2021 -- 17:59:34 - <Config> - enabling 'eve-log' module 'flow'
3/12/2021 -- 17:59:34 - <Info> - stats output device (regular) initialized: stats.log
3/12/2021 -- 17:59:34 - <Config> - Delayed detect disabled
3/12/2021 -- 17:59:34 - <Config> - pattern matchers: MPM: ac, SPM: bm
3/12/2021 -- 17:59:34 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
3/12/2021 -- 17:59:34 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
3/12/2021 -- 17:59:34 - <Config> - prefilter engines: MPM
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_uri
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_uri
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_uri
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_uri
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_request_line
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_client_body
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_response_line
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_header_names
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_header_names
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept_enc
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept_enc
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept_lang
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_accept_lang
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_referer
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_referer
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_connection
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_connection
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_len
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_len
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_len
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_len
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_type
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_type
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_type
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_content_type
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http.server
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http.server
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http.location
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http.location
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_protocol
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_protocol
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_start
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_start
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_method
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_method
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_cookie
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_cookie
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_cookie
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_cookie
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file.magic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_user_agent
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_user_agent
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_host
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_host
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_raw_host
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_stat_msg
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_stat_code
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http_stat_code
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http2_header_name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http2_header_name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http2_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for http2_header
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dns_query
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dnp3_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dnp3_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.sni
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.cert_issuer
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.cert_subject
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.cert_serial
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.cert_fingerprint
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tls.certs
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ja3.hash
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ja3.string
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ja3s.hash
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ja3s.string
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dce_stub_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dce_stub_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dce_stub_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for dce_stub_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for smb_named_pipe
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for smb_share
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.proto
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.proto
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh_software
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh_software
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.hassh
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.hassh.server
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.hassh.string
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ssh.hassh.server.string
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for file_data
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for krb5_cname
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for krb5_sname
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.method
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.uri
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.protocol
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.protocol
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.method
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.stat_msg
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.request_line
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for sip.response_line
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for rfb.name
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for snmp.community
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for snmp.community
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.connect.clientid
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.connect.username
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.connect.password
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.connect.willtopic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.connect.willmessage
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.publish.topic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.publish.message
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.subscribe.topic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for mqtt.unsubscribe.topic
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for icmpv4.hdr
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for tcp.hdr
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for udp.hdr
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for icmpv6.hdr
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ipv4.hdr
3/12/2021 -- 17:59:34 - <Perf> - using shared mpm ctx' for ipv6.hdr
3/12/2021 -- 17:59:34 - <Config> - IP reputation disabled
3/12/2021 -- 17:59:34 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules

Here are the permissions for the file its complaining about:

root@suricata:/etc/suricata# ll /var/lib/suricata/rules/suricata.rules
-rwxrwxr-- 1 root root 18034768 Dec  3 17:57 /var/lib/suricata/rules/suricata.rules*

Suricata should be able to do whatever it wants to this file, but I am still getting an error.

Quick update. I commented out the suricata run as param and it looks like the configuration is passing. i am assuming that’s because it is running as root which I do not want. The only thing I see different is that the suri user does not have a shell (by my choice) does suricata require its user to have a shell to run?

root@suricata:/etc/suricata# cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash
root@suricata:/etc/suricata# cat /etc/passwd | grep suri
suri:x:1001:1001::/home/suri:/bin/false