Project

General

Profile

Bug #13839

Updated by Marcos M over 1 year ago

Recently I've noticed that updating Suricata versions takes a very long time, every time. After an update to the latest pfSense dev build, I saw these in the system logs - notice it took 10 minutes on a single step (logs reversed): 
 <pre> 
 Jan 5 14:43:13  	 pkg-static  	 43609  	 pfSense-pkg-suricata upgraded: 6.0.8_4 -> 6.0.8_5 
 Jan 5 14:40:16  	 kernel  		 done. 
 Jan 5 14:40:16  	 php  	 70799  	 //etc/rc.packages: Successfully installed package: suricata. 
 Jan 5 14:40:16  	 kernel  		 done. 
 Jan 5 14:40:16  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Overwrote previous installation of suricata. 
 Jan 5 14:40:16  	 php  	 70799  	 [Suricata] Package post-installation tasks completed. 
 Jan 5 14:40:16  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Suricata pkg v6.0.8_5: post-install configuration saved. 
 Jan 5 14:40:16  	 php  	 70799  	 [Suricata] Finished rebuilding installation from saved settings. 
 Jan 5 14:40:15  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php 
 Jan 5 14:40:15  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Installed cron job for /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600 
 Jan 5 14:40:15  	 kernel  		 done. 
 Jan 5 14:40:15  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc 
 Jan 5 14:40:15  	 php  	 70799  	 [Suricata] Building new sid-msg.map file for ISP1... 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] Updating rules configuration for: ISP1 ... 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] The Rules update has finished. 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] Removed 0 obsoleted rules category files. 
 Jan 5 14:40:13  	 kernel  		 done. 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] Hide Deprecated Rules is enabled. Removing obsoleted rules categories. 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] Extra ETNetera rules were updated... 
 Jan 5 14:40:13  	 kernel  		 done. 
 Jan 5 14:40:13  	 php  	 70799  	 [Suricata] Extra ETNetera rules file update downloaded successfully. 
 Jan 5 14:40:03  	 kernel  		 Extra MalSilo rules were updated. 
 Jan 5 14:40:03  	 php  	 70799  	 [Suricata] Extra MalSilo rules were updated... 
 Jan 5 14:40:03  	 kernel  		 done. 
 Jan 5 14:40:03  	 php  	 70799  	 [Suricata] Extra MalSilo rules file update downloaded successfully. 
 Jan 5 14:40:03  	 kernel  		 done. 
 Jan 5 14:29:51  	 php  	 70799  	 [Suricata] ABUSE.ch SSL Blacklist rules were updated... 
 Jan 5 14:29:51  	 kernel  		 done. 
 Jan 5 14:29:51  	 php  	 70799  	 [Suricata] ABUSE.ch SSL Blacklist rules file update downloaded successfully. 
 Jan 5 14:19:40  	 kernel  		 Feodo Tracker Botnet C2 IP rules were updated. 
 Jan 5 14:19:40  	 php  	 70799  	 [Suricata] Feodo Tracker Botnet C2 IP rules were updated... 
 Jan 5 14:19:40  	 kernel  		 done. 
 Jan 5 14:19:40  	 php  	 70799  	 [Suricata] Feodo Tracker Botnet C2 IP rules file update downloaded successfully. 
 Jan 5 14:19:38  	 kernel  		 done. 
 Jan 5 14:19:38  	 php  	 70799  	 [Suricata] Snort GPLv2 Community Rules file update downloaded successfully. 
 Jan 5 14:19:36  	 kernel  		 done. 
 Jan 5 14:19:36  	 php  	 70799  	 [Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz... 
 Jan 5 14:19:35  	 kernel  		 done. 
 Jan 5 14:19:35  	 php  	 70799  	 [Suricata] Emerging Threats Open rules file update downloaded successfully. 
 Jan 5 14:19:34  	 kernel  		 done. 
 Jan 5 14:19:34  	 php  	 70799  	 [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz... 
 Jan 5 14:19:26  	 kernel  		 done. 
 Jan 5 14:19:26  	 php  	 70799  	 [Suricata] Downloading and updating configured rule types. 
 Jan 5 14:19:26  	 php  	 70799  	 [Suricata] Configuration version is current. 
 Jan 5 14:19:26  	 php  	 70799  	 [Suricata] Checking configuration settings version... 
 Jan 5 14:19:26  	 kernel  		 Saved settings detected... 
 Jan 5 14:19:26  	 php  	 70799  	 [Suricata] Saved settings detected... rebuilding installation with saved settings. 
 Jan 5 14:19:25  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_geoipupdate.php 
 Jan 5 14:19:25  	 php  	 70799  	 [Suricata] Cleaning up temp files after GeoLite2-Country database update. 
 Jan 5 14:19:25  	 php  	 70799  	 [Suricata] GeoLite2-Country database update completed. 
 Jan 5 14:19:25  	 php  	 70799  	 [Suricata] Moving new database to /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb... 
 Jan 5 14:19:25  	 php  	 70799  	 [Suricata] Extracting new GeoLite2-Country database from the archive... 
 Jan 5 14:19:25  	 php  	 70799  	 [Suricata] New GeoLite2-Country IP database gzip archive successfully downloaded. 
 Jan 5 14:19:24  	 php  	 70799  	 [Suricata] Downloading new GeoLite2-Country IP database... 
 Jan 5 14:19:24  	 php  	 70799  	 [Suricata] A new GeoLite2-Country IP database is available. 
 Jan 5 14:19:23  	 php  	 70799  	 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... 
 Jan 5 14:19:23  	 php  	 70799  	 [Suricata] Installing free GeoLite2 country IP database file in /usr/local/share/suricata/GeoLite2/... 
 Jan 5 14:19:23  	 php  	 70799  	 //etc/rc.packages: Configuration Change: (system): Intermediate config write during package install for suricata. 
 Jan 5 14:19:23  	 php  	 70799  	 //etc/rc.packages: Beginning package installation for suricata . 
 Jan 5 14:19:22  	 php  	 48950  	 [Suricata] Flushing all blocked hosts from <snort2c> table due to package removal... 
 Jan 5 14:19:22  	 php  	 48950  	 /etc/rc.packages: Configuration Change: (system): Suricata pkg removed Dashboard Alerts widget. 
 Jan 5 14:19:22  	 php  	 48950  	 /etc/rc.packages: Configuration Change: (system): Removed cron job for suricata_geoipupdate.php 
 Jan 5 14:19:22  	 php  	 48950  	 /etc/rc.packages: Configuration Change: (system): Removed cron job for snort2c 
 Jan 5 14:19:22  	 php  	 48950  	 /etc/rc.packages: Configuration Change: (system): Removed cron job for suricata_check_cron_misc.inc 
 Jan 5 14:19:22  	 php  	 48950  	 /etc/rc.packages: Configuration Change: (system): Removed cron job for suricata_check_for_rule_updates.php 
 Jan 5 14:19:20  	 php  	 48950  	 [Suricata] Suricata package uninstall in progress... 
  
 </pre> 

 Downloading the files directly on a browser finished immediately so I don't think it's a bandwidth issue: 
 https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz 
 https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz

Back