Suricata 3.0.2 advanced configuration pass-through not working
-
Hi.
As title, I add "default-packet-size: 1522" to Advanced Configuration. Restart suricata, It still also show original vaule. :(
And how to set custom profile in detect-engine with a lot more groups? I need to improve detect performance.
For example.
detect-engine:
– profile: custom
– custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 250 -
You would need to make edits in this template file:
/usr/local/pkg/suricata/suricata_yaml_template.inc
Be careful editing this file! Do not mess with the lines containing string variables (the stuff within curly braces).
Also be aware this file is the template used to build all the suricata.yaml files (the file for each configured Suricata interface), so changes made here will be applied to all interfaces.
Bill
-
Hi bill.
I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.
Thanks,
ntctdetect-engine:
- profile: {$detect_eng_profile}
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 250
- sgh-mpm-context: {$sgh_mpm_ctx}
- inspection-recursion-limit: {$inspection_recursion_limit}
- delayed-detect: {$delayed_detect}
-
Hi bill.
I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.
Thanks,
ntctdetect-engine:
- profile: {$detect_eng_profile}
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 250
- sgh-mpm-context: {$sgh_mpm_ctx}
- inspection-recursion-limit: {$inspection_recursion_limit}
- delayed-detect: {$delayed_detect}
I can't tell for sure from you post, but I suspect the formatting of the YAML file is the problem. Suricata is super picky about that format (as in which lines are indented and by how much). That is how the parser decides what things are. In your example above, try indenting the toserver values.
Bill
-
Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?
I try the default value of profile_high, it still failed.
# - profile: {$detect_eng_profile}
- profile: custom
- custom-values:
toclient-src-groups: 15
toclient-dst-groups: 15
toclient-sp-groups: 15
toclient-dp-groups: 20
toserver-src-groups: 15
toserver-dst-groups: 15
toserver-sp-groups: 15
toserver-dp-groups: 40
- sgh-mpm-context: {$sgh_mpm_ctx}
- inspection-recursion-limit: {$inspection_recursion_limit}
- delayed-detect: {$delayed_detect}
UPDATE
I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = high
detect-engine.1 = sgh-mpm-context
detect-engine.1.sgh-mpm-context = auto
detect-engine.2 = inspection-recursion-limit
detect-engine.2.inspection-recursion-limit = 3000
detect-engine.3 = delayed-detect
detect-engine.3.delayed-detect = noAs long as I add any toclient or toserver options, it can't start anymore.
21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>
toclient or toserver options is line 136.
21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>
- inspection-recursion-limit: {$inspection_recursion_limit} is line 145 –-> ???
Thanks,
ntct -
Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?
I try the default value of profile_high, it still failed.
# - profile: {$detect_eng_profile}
- profile: custom
- custom-values:
toclient-src-groups: 15
toclient-dst-groups: 15
toclient-sp-groups: 15
toclient-dp-groups: 20
toserver-src-groups: 15
toserver-dst-groups: 15
toserver-sp-groups: 15
toserver-dp-groups: 40
- sgh-mpm-context: {$sgh_mpm_ctx}
- inspection-recursion-limit: {$inspection_recursion_limit}
- delayed-detect: {$delayed_detect}
UPDATE
I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = high
detect-engine.1 = sgh-mpm-context
detect-engine.1.sgh-mpm-context = auto
detect-engine.2 = inspection-recursion-limit
detect-engine.2.inspection-recursion-limit = 3000
detect-engine.3 = delayed-detect
detect-engine.3.delayed-detect = noAs long as I add any toclient or toserver options, it can't start anymore.
21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>
toclient or toserver options is line 136.
21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>
- inspection-recursion-limit: {$inspection_recursion_limit} is line 145 –-> ???
Thanks,
ntctThat error message means you either do not have all the required parameters for the option, or the syntax is incorrect, or the option you are trying to use is not recognized or supported. I am not familiar with that particular option, so I do not know if it is still valid or not. You might want to go over to the Suricata site and ask there how to use those options.
Bill