Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata tls.store Logs Mgmt

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fsansfil
      last edited by

      When using rules with tls.store, the folder certs, is properly created under /var/log/suricata/interface/certs. The cert file and .meta file are stored, but Im unable to manage Log Size and Retention Limits, using the Logs Mgmt.

      Neither tls or Captured Files Retention Period options, of Logs Mgmt tab, affect those files/folder.

      What am I doing wrong ? ;)

      F.

      1 Reply Last reply Reply Quote 0
      • bmeeksB Online
        bmeeks
        last edited by

        You're doing nothing wrong.  It's my bad.  I don't think I have the code structured properly for that task.  I could make up some lame story, but I will just be honest… :-[.  I did not test that particular feature.  I assumed, incorrectly it appears, that it would save things using a scheme like the other logs.

        Can you post a screen shot of the folder showing the files that are in there?  That will help me create a fix.  If you have privacy concerns with a public post, send me a PM and I will send you my e-mail address.  It will help me immensely to see the folder structure and content created by those rules.

        Thanks,
        Bill

        P.S. -- you seem to be an advanced Suricata user based on your other posts here helping others.  I'm still a Suricata newbie.  I just learned enough to create the package and used a lot of the existing Snort package code to clone from.  So if you find something else that's not quite right, let me know.

        1 Reply Last reply Reply Quote 0
        • F Offline
          fsansfil
          last edited by

          Easier than that, just run this custom rule and visit a few https sites, the certs folder (var/log/suricata/suricata_interface/certs) will appear and populate. Its a catch all, no alert. You may need to enable TLS loggin on that interface too.

          alert tls any any -> any any (msg:"No Alert TLS Store"; tls.subject:"CN="; tls.store; noalert; classtype:policy-violation; sid:5216010; rev:3;)
          

          If it doesnt work, add gmail at my nick. Ill be glad to help.

          Thanks.

          F.

          1 Reply Last reply Reply Quote 0
          • bmeeksB Online
            bmeeks
            last edited by

            OK.  I will get this up and running in a VM and fix the code.  Give me a few days, though.  I have some other commitments that will consume some of my time.

            I have also been hoping that any day now the maintainer will update Suricata in the FreeBSD ports tree.  That's the flag I usually wait for before I submit an update to the pfSense Team.  They like to stay in-sync with FreeBSD ports.  Suricata 2.0.7 has been out for quite some time, but FreeBSD ports is still on 2.0.6.

            Bill

            1 Reply Last reply Reply Quote 0
            • bmeeksB Online
              bmeeks
              last edited by

              Sorry it took a little longer than I anticipated, but I did finally get around to replicating the problem and will have the fix in the next Suricata update.  I'm hoping that won't be too far in the future.  I'm waiting for FreeBSD ports to update to the 2.0.7 release.  If that continues to drag out, then I will just post a separate GUI package update to fix this log management problem.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.