Suricata-Update giving warnings and errors

When I run suricata-update ona new installation I am getting the following warning and errors. I have run suricata-update update-sources numerous times as warning says to do. Does not fix issue.

I have enabled et/pro source.

suricata-updatewarninganderror1620×143 89.4 KB

7/2/2021 – 05:51:11 - – No index exists, will use bundled index.
7/2/2021 – 05:51:11 - – Please run suricata-update update-sources.
7/2/2021 – 05:51:11 - – Fetching https://rules.emergingthreatspro.com//suricata-6.0.1/etpro.rules.tar.gz.
7/2/2021 – 05:51:12 - – Failed to fetch https://rules.emergingthreatspro.com//suricata-6.0.1/etpro.rules.tar.gz: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
7/2/2021 – 05:51:12 - – Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
7/2/2021 – 05:51:12 - – Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules

Can you try suricata-update -v update-sources? It should give us a little more detail as to whats going on.

Ran suricata-update -v update-sources. Results:

screenshot with -v enabled1630×263 143 KB

sudo suricata-update -v update-sources
[sudo] password for secadmin:
7/2/2021 – 18:02:21 - – This is suricata-update version 1.2.0 (rev: None); Python: 3.6.9 (default, Oct 8 2020, 12:12:24) - [GCC 8.4.0]
7/2/2021 – 18:02:21 - – Loading /etc/suricata/update.yaml
7/2/2021 – 18:02:21 - – Setting configuration value subcommand → update-sources
7/2/2021 – 18:02:21 - – Setting configuration value verbose → True
7/2/2021 – 18:02:21 - – Setting configuration value version → False
7/2/2021 – 18:02:21 - – Setting configuration value func → <function update_sources at 0x7fbab7ecfb70>
7/2/2021 – 18:02:21 - – Found suricata at /usr/bin/suricata
7/2/2021 – 18:02:21 - – Using data-directory /var/lib/suricata.
7/2/2021 – 18:02:21 - – Using Suricata configuration /etc/suricata/suricata.yaml
7/2/2021 – 18:02:21 - – Using /usr/share/suricata/rules for Suricata provided rules.
7/2/2021 – 18:02:21 - – Found Suricata version 6.0.1 at /usr/bin/suricata.
7/2/2021 – 18:02:21 - – Downloading https://www.openinfosecfoundation.org/rules/index.yaml
7/2/2021 – 18:02:21 - – Setting HTTP User-Agent to Suricata-Update/1.2.0 (OS: Linux; CPU: x86_64; Python: 3.6.9; Dist: Ubuntu/18.04; Suricata: 6.0.1)
7/2/2021 – 18:02:21 - – Failed to download index: https://www.openinfosecfoundation.org/rules/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>

If I search for an index.yaml file on system, I find one in ./home/secadmin/suricata-5.0.3/suricata-update/tests/index.yaml. Is that the problem because I have suricata version 6.0.1 on this system? Do I need to reinstall suricata-update? Thanks.

I think I installed suricata version 6.0.1 using a PPA. It should have brought in and install the latest version of suricata-update.

Looks like the certificates on your system might be out of date… Can you

curl https://www.openinfosecfoundation.org/rules/index.yaml

?

Yes. It shows me the content of the index.yaml file without any errors. But when I run suricata-update I still get errors.

Where do I get the latest certificate for this?

It should just use the root ca’s provided by your operating system. Did this used to work? Then stop? That suggest some package might need to be updated on your system. Tho, not being familiar with Ubuntu/Debug, I’m not sure off-hand what this might be. Or perhaps do you go through a proxy that has an invalid or self-signed certificate?

You can try adding the command line option --no-check-certificate which will allow it continue on certain kinds of certificate failures.

suricata-update --no-check-certificate update-sources

Running it with no certificate check allowed the index to be updated. Then running suricata-update with no certificate check allowed the ey pro signatures to be loaded and configured.

I will have to find a way to get the latest ca certificates installed. I tried a few things but there were no updates to the ca certicate repository.

Thanks.