Change Surricata yaml?

eng3

I am just starting to look at Surricata. I am getting "SURICATA packet out of window". Looking at stats, I see:

tcp.segment_memcap_drop                       | Total                     | 334
tcp.reassembly_gap                            | Total                     | 797
tcp.reassembly_memuse                         | Total                     | 123053920

Based on my searches, I see a recommendation to change the stream.reassembly.memcap in the yaml.

I don't see any setting in the GUI to configure the memcap. I see in "diagnostics->edit file" I can change a file but I don't know where to find it. Even if I can find it, I assume it will get overwritten if I change something in the GUI. What is the proper way to adjust this?

bmeeks

You can find that parameter on the FLOW/STREAM tab for the Suricata interface.

Never edit the suricata.yaml file directly. That file is re-created each time you save a change in the GUI. All configuration info for Suricata on pfSense is stored in the firewall's config.xml file and then written into a unique suricata.yaml file for each configured Suricata interface.

eng3

@bmeeks Hmm, I don't see a FLOW/STREAM tab. is it inside one of the main tabs? I just have Interfaces, Global Settings, Updates, Alerts, Blocks, Files, Pass Lists, Suppress, Log view, Log Mgmt, SID Mgmt, Sync, IP List

bmeeks

@eng3 said in Change Surricata yaml?:

@bmeeks Hmm, I don't see a FLOW/STREAM tab. is it inside one of the main tabs? I just have Interfaces, Global Settings, Updates, Alerts, Blocks, Files, Pass Lists, Suppress, Log view, Log Mgmt, SID Mgmt, Sync, IP List

Click the INTERFACES tab, then either double-click the row of a configured Suricata interface, or click the Edit pencil icon out on the right end of the row. That will open a new set of interface-specific tabs.

I assume you have actually configured an interface, right?

eng3

@bmeeks Yes. and I found where to set it. It fixed the drop issue. still getting the message though