Suricata not loading rules

ora · May 4, 2021, 10:30pm

Hello,
I installed Suricata, enabled etpro and did the suricata-update, it ran fine without issues. Rule file was compiled into

-rw-r–r-- 1 root suricata 44133288 May 4 22:16 /var/lib/suricata/rules/suricata.rules

When I run suricata, it gives me this:

4/5/2021 – 22:24:42 - - stats output device (regular) initialized: stats.log
4/5/2021 – 22:24:42 - - Running in live mode, activating unix socket
4/5/2021 – 22:24:42 - - [ERRCODE: SC_ERR_FOPEN(44)] - could not open: “/var/lib/suricata/rules/classification.config”: Permission denied
4/5/2021 – 22:24:42 - - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the “classification-file” option in your suricata.yaml file
4/5/2021 – 22:24:42 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
4/5/2021 – 22:24:42 - - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
4/5/2021 – 22:24:42 - - Threshold config parsed: 0 rule(s) found
4/5/2021 – 22:24:42 - - 0 signatures processed. 0 are IP-only rules, 0 are inspecting pa

Tried everything, dir and file permissions, no luck. Everything seems to be in the right place. Suricata is running as root so that cause permission issues. No errors on update, but it just won’t load. Any ideas? TIA

ish · May 4, 2021, 10:39pm

How did you install Suricata? From source? RPM? PPA? Can you check the permissions on the directory /var/lib/suricata/rules as well.

ora · May 4, 2021, 10:52pm

Installed from rpm (suricata-6.0.2-1.el7.x86_64)

drwxr-sr-x 2 root suricata 4096 May 4 22:43 rules
drwxr-sr-x 4 root suricata 4096 Apr 29 20:40 update

It’s running as root so perm shouldn’t be an issue unless there is some caveat I’m not aware of.

Oddly the rule file is created with 600
-rw------- 1 root suricata 44171023 May 4 22:49 suricata.rules

But when I change to 644 it seems to work on et but not etpro

If it’s running as root, why does this matter? Is there a way to create the rule files with necessary permissions? Also, does suricata service need to be restarted after updating or it takes effect? Thanks

ish · May 4, 2021, 11:00pm

When using the RPM and starting Suricata with systemctl, Suricata will actually run as the suricata user, not root. So that is something to be aware of.

Anyways, this should help reset the permissions:

chmod 2770 /var/lib/suricata
chown -R root:suricata /var/lib/suricata

ora · May 4, 2021, 11:02pm

Thanks, that’s helpful! So it would make sense to add to the update cronjob the permission bits then. Once update runs, does the engine need to be restarted?

ish · May 4, 2021, 11:04pm

The engine needs to be restarted or sent a SIGUSR2 to reload the rules.

The idea with the RPM and the 2770 mode on /var/lib/suricata is that you can run suricata-update as root, or as a user in the suricata group to avoid using root altogether. I’ve never seen a need to update permissions as part of the cronjob, at least not on a default CentOS 8 install with default umasks, etc.

ora · May 4, 2021, 11:08pm

Got it. Thanks for your help!

Topic		Replies	Views
Cannot load my own rule Rules suricata	2	362	October 15, 2022
Signature rule not loaded Help	7	7220	December 3, 2021
<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed Rules	33	6945	October 12, 2020
Suricata-update ERRCODE: when suricata -T runs Rules	7	1698	February 22, 2023
Suricata Custom Ruleset will not Load into `suricata.rules` Rules ips , rules , suricata	6	2468	October 20, 2022

Suricata not loading rules

Related Topics