Signature rule not loaded

Hello
I have just set up Suricata for the first time with suricata-update and I am pretty disappointed to see this error:

mars 20 16:13:33 datasecu suricata[15471]: 20/3/2020 -- 16:13:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern suricata.rules
mars 20 16:13:33 datasecu suricata[15471]: 20/3/2020 -- 16:13:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!

It sounds like nothing match the signatures which are in the suricata.rules…
Anyone can help me?

Hello. Can you tell us a little bit more how you installed Suricata?

Also, try add “-vvv” when running Suricata, that should log the rule that it is trying to load. You might want to verify that against the file that suricata-update is writing, to make sure it is loading the same file.

The “-vvv” gave me nothing more than the “systemctl -l:frowning:
Below an extract:

20/3/2020 -- 18:32:49 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
20/3/2020 -- 18:32:49 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
20/3/2020 -- 18:32:49 - <Config> - prefilter engines: MPM
20/3/2020 -- 18:32:49 - <Config> - IP reputation disabled
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern suricata.rules
20/3/2020 -- 18:32:49 - <Config> - No rules loaded from suricata.rules.
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures.rules
20/3/2020 -- 18:32:49 - <Config> - No rules loaded from signatures.rules
20/3/2020 -- 18:32:49 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 2 rule files specified, but no rule was loaded at all!
20/3/2020 -- 18:32:49 - <Info> - Threshold config parsed: 0 rule(s) found
20/3/2020 -- 18:32:49 - <Perf> - using shared mpm ctx' for tcp-packet
20/3/2020 -- 18:32:49 - <Perf> - using shared mpm ctx' for tcp-stream

Well, I assume that something goes wrong with suricata.rules (due to my poor knowledge) created by suricata-update and the suricata engine: rules are downloaded from a local repository (no internet access) and suricata.rules is correct from my point of vue (I verified that one signature from ET is included in suricata.rules after running the update).

But, according to the ERROR message, nothing is loaded when I run suricata: what can keep suricata from loading the signatures included in the /var/lib/suricata/rules/suricata.rules? have I misted a parameter in the conf?

Thanks for your help!

Make sure that /var/lib/suricata/rules/suricata.rules exists and has rules in it. Then check that Suricata is loading that file, in your suricata.yaml you should see something like:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

Well… humm… I changed /var/lib/suricata/rules to ‘744’ and it works (previously in ‘644’ :unamused: ).
Sorry for your times reading my divagation, I am used to work with Microsoft and vendor appliances… not with Linux! but I am working on it :wink:

No problem. Typically you’d use 755 for a directory, and 644 for files, or some variation on that depending on your needs.