Suricata 3.0.2 advanced configuration pass-through not working



  • Hi.

    As title, I add "default-packet-size: 1522" to Advanced Configuration. Restart suricata, It still also show original vaule.  :(

    And how to set custom profile in detect-engine with a lot more groups? I need to improve detect performance.

    For example.

    detect-engine:
    – profile: custom
    – custom-values:
    toclient-src-groups: 200
    toclient-dst-groups: 200
    toclient-sp-groups: 200
    toclient-dp-groups: 300
    toserver-src-groups: 200
    toserver-dst-groups: 400
    toserver-sp-groups: 200
    toserver-dp-groups: 250



  • You would need to make edits in this template file:

    /usr/local/pkg/suricata/suricata_yaml_template.inc

    Be careful editing this file!  Do not mess with the lines containing string variables (the stuff within curly braces).

    Also be aware this file is the template used to build all the suricata.yaml files (the file for each configured Suricata interface), so changes made here will be applied to all interfaces.

    Bill



  • Hi bill.

    I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.

    Thanks,
    ntct

    detect-engine:

    - profile: {$detect_eng_profile}

    • profile: custom
    • custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 250
        - sgh-mpm-context: {$sgh_mpm_ctx}
        - inspection-recursion-limit: {$inspection_recursion_limit}
        - delayed-detect: {$delayed_detect}


  • @ntct:

    Hi bill.

    I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.

    Thanks,
    ntct

    detect-engine:

    - profile: {$detect_eng_profile}

    • profile: custom
    • custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 250
        - sgh-mpm-context: {$sgh_mpm_ctx}
        - inspection-recursion-limit: {$inspection_recursion_limit}
        - delayed-detect: {$delayed_detect}

    I can't tell for sure from you post, but I suspect the formatting of the YAML file is the problem.  Suricata is super picky about that format (as in which lines are indented and by how much).  That is how the parser decides what things are.  In your example above, try indenting the toserver values.

    Bill



  • Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?

    I try the default value of profile_high, it still failed.

    #  - profile: {$detect_eng_profile}

    • profile: custom
    • custom-values:
            toclient-src-groups: 15
            toclient-dst-groups: 15
            toclient-sp-groups: 15
            toclient-dp-groups: 20
            toserver-src-groups: 15
            toserver-dst-groups: 15
            toserver-sp-groups: 15
            toserver-dp-groups: 40
        - sgh-mpm-context: {$sgh_mpm_ctx}
        - inspection-recursion-limit: {$inspection_recursion_limit}
        - delayed-detect: {$delayed_detect}

    UPDATE

    I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.

    detect-engine = (null)
    detect-engine.0 = profile
    detect-engine.0.profile = high
    detect-engine.1 = sgh-mpm-context
    detect-engine.1.sgh-mpm-context = auto
    detect-engine.2 = inspection-recursion-limit
    detect-engine.2.inspection-recursion-limit = 3000
    detect-engine.3 = delayed-detect
    detect-engine.3.delayed-detect = no

    As long as I add any toclient or toserver options, it can't start anymore.

    21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>

    toclient or toserver options is line 136.

    21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>

    • inspection-recursion-limit: {$inspection_recursion_limit} is line 145  –-> ???

    Thanks,
    ntct



  • @ntct:

    Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?

    I try the default value of profile_high, it still failed.

    #  - profile: {$detect_eng_profile}

    • profile: custom
    • custom-values:
            toclient-src-groups: 15
            toclient-dst-groups: 15
            toclient-sp-groups: 15
            toclient-dp-groups: 20
            toserver-src-groups: 15
            toserver-dst-groups: 15
            toserver-sp-groups: 15
            toserver-dp-groups: 40
        - sgh-mpm-context: {$sgh_mpm_ctx}
        - inspection-recursion-limit: {$inspection_recursion_limit}
        - delayed-detect: {$delayed_detect}

    UPDATE

    I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.

    detect-engine = (null)
    detect-engine.0 = profile
    detect-engine.0.profile = high
    detect-engine.1 = sgh-mpm-context
    detect-engine.1.sgh-mpm-context = auto
    detect-engine.2 = inspection-recursion-limit
    detect-engine.2.inspection-recursion-limit = 3000
    detect-engine.3 = delayed-detect
    detect-engine.3.delayed-detect = no

    As long as I add any toclient or toserver options, it can't start anymore.

    21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>

    toclient or toserver options is line 136.

    21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>

    • inspection-recursion-limit: {$inspection_recursion_limit} is line 145  –-> ???

    Thanks,
    ntct

    That error message means you either do not have all the required parameters for the option, or the syntax is incorrect, or the option you are trying to use is not recognized or supported.  I am not familiar with that particular option, so I do not know if it is still valid or not.  You might want to go over to the Suricata site and ask there how to use those options.

    Bill


Log in to reply