Weirdness in surcicata-update over last week

Over the last few days suricata-update has been failing to update the rules on all my sensors.

a run with --quiet generates:

31/10/2021 -- 10:20:14 - <Error> -- Suricata test failed, aborting.
31/10/2021 -- 10:20:14 - <Error> -- Restoring previous rules.

If I run it with --no-test it works fine and suricata reloads the updated rules without problems.

Running suricata with -T on the output from the --no-test run does not show any errors and exits with a code of `0``

I assume that there has been a change in the rules that is causing this ??

Hi Russell!
Could you please tell what all sources are enabled in your setup?

Is Suricata-update parsing problems with modify a follow-up for this same problem?

No it is completely separate

  # Emerging Threats Open with the Suricata version dynamically replaced.
  - file:///home/sensors/Rules/source/emerging-suri-6.0.3.rules.tar.gz

I have the same issue on several machines running various versions of 6.0.

I pull the rule files down on a “manager” box and the sensors get them from a shared drive. Suricata-update us run from a script that checks if the rule file has been updated. The script is run hourly from cron.

Thank you.

I just gave it a try and ET Open rules for 6.0.3 seem to be loaded properly with tests passing. Could you please try -v instead of --quiet and show the output?

Also, maybe try and check the md5 checksum of your downloaded file to verify its integrity?

1 Like