How do I change a Suricata setting from the root command line?
-
I need to have a script that runs at intervals that changes based on a variable setting. How do I do that? I've looked and I'm having trouble finding the suricata settings and I also read something about how it wouldn't change anyway as pfsense write the whole config file each time? I may be wrong though. Thanks for any help
-
You don't.
But if you really have to you might be able to change the conf file and restart the service.
As you read the Suricata conf file is generated from the main pfSense conf file so any chnage there would be temporary. Which might be OK in your situation.
Steve
-
@stephenw10 How long would that actually change it for? as in if I were to make this script run every x amount of time, how often would it have to run before it defaults? Thanks for the help steve
-
I would expect it to survive until the next time the Suricata config was generated which would be when a change is made is suricata or the complete pfSense config is reloaded.
Steve
-
@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks
-
You probably want something in: /usr/local/etc/suricata
-
@templateunheard said in How do I change a Suricata setting from the root command line?:
@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks
Suricata creates independent and unique config files for each running instance (as in each configured Suricata interface). The files are put in sub-directories underneath
/usr/local/etc/suricata. There is a sub-directory there for each configured interface. The name of the interface is part of the directory name to help you identify them. Absolutely nothing in terms of configuration is loaded from the top-level/usr/local/etc/suricatadirectory. Those are just boilerplate config files distributed with the binary.Editing the config files directly is strongly not recommended. As mentioned here, any change is temporary at best. Each time Suricata is restarted, the
suricata.yamlfile for the interface is recreated from the data stored for Suricata in the firewall'sconfig.xmlmaster configuration file. Ditto for any time you make any edit in the GUI for Suricata. Suricata can restart on its own without user intervention for many reasons, including something as simple as the daily rules update job executing and updating the rules. -
So pretty much "You don't" then.
