Is there a way to modify suricata rules updates times for ET community closer to the actual release time?
It is set to update every 12 hours, and lately the updates are out of sync because the actual Updates are getting released a little after IPFire Suricata checks for updates.
Next update cycle will update it, but that’s a long delay.
# Perform a surciata rules update every 12 hours.
@ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1
The @ 12h portion means run this command every 12 hours of actual elapsed fcron execution time.
So if the IPFire has been turned off for any time that time will be considered as non execution time, so the actual time of the fcron rule being executed will depend on when the machine was first started up and how long it has been turned off in the intervening period.
Therefore different IPFire machines can have different times for running that command depending on when they were first started up and how often they have been turned off.
So you could put it closer to sync by turning the IPFire off for a certain amount of time so that it will try just after a potential release time.
Why not use the standard cron time/date fields? e.g 1 /*12 * * * is 1 minute past midday and midnight. Or you could do something like 1 2,14 * * * which is 1 minute past 2am and 2pm. See the Crontab Guru.
Thank you for this suggestion, I couldn’t afford to turn off this IPFire but I was able to stop fcron wait 2 hours and start fcron again
/etc/rc.d/init.d/fcron stop
wait 2 hours
/etc/rc.d/init.d/fcron start
looking at the logs I see that after 13.5 hours of running, the @12 h update was synced. and it has been updating regularly at fcron start time + 1.5 hours
Will the crontab rule created at CrontabGuru work for Fcron as well?
I would be interested to know why the @12h is preferred.
The only reason I could think of is to have each IPFire instance update at a different time, almost randomly. Otherwise all IPFires would start updating at a particular time and folks at Emerging Threats would be annoyed and start blocking our IP’s.???
If all IPFire systems will do this at the same time it is like a DOS attack to the downloadservers. So we not want update tasks at the same time on all installations.