Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 3.0.2 advanced configuration pass-through not working

    IDS/IPS
    2
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      ntct
      last edited by

      Hi.

      As title, I add "default-packet-size: 1522" to Advanced Configuration. Restart suricata, It still also show original vaule.  :(

      And how to set custom profile in detect-engine with a lot more groups? I need to improve detect performance.

      For example.

      detect-engine:
      – profile: custom
      – custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 250

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You would need to make edits in this template file:

        /usr/local/pkg/suricata/suricata_yaml_template.inc

        Be careful editing this file!  Do not mess with the lines containing string variables (the stuff within curly braces).

        Also be aware this file is the template used to build all the suricata.yaml files (the file for each configured Suricata interface), so changes made here will be applied to all interfaces.

        Bill

        1 Reply Last reply Reply Quote 0
        • N
          ntct
          last edited by

          Hi bill.

          I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.

          Thanks,
          ntct

          detect-engine:

          - profile: {$detect_eng_profile}

          • profile: custom
          • custom-values:
            toclient-src-groups: 200
            toclient-dst-groups: 200
            toclient-sp-groups: 200
            toclient-dp-groups: 300
            toserver-src-groups: 200
            toserver-dst-groups: 400
            toserver-sp-groups: 200
            toserver-dp-groups: 250
              - sgh-mpm-context: {$sgh_mpm_ctx}
              - inspection-recursion-limit: {$inspection_recursion_limit}
              - delayed-detect: {$delayed_detect}
          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @ntct:

            Hi bill.

            I edit /usr/local/pkg/suricata/suricata_yaml_template.inc, then restart it and failed, but suricata.log don't show any log messages.

            Thanks,
            ntct

            detect-engine:

            - profile: {$detect_eng_profile}

            • profile: custom
            • custom-values:
              toclient-src-groups: 200
              toclient-dst-groups: 200
              toclient-sp-groups: 200
              toclient-dp-groups: 300
              toserver-src-groups: 200
              toserver-dst-groups: 400
              toserver-sp-groups: 200
              toserver-dp-groups: 250
                - sgh-mpm-context: {$sgh_mpm_ctx}
                - inspection-recursion-limit: {$inspection_recursion_limit}
                - delayed-detect: {$delayed_detect}

            I can't tell for sure from you post, but I suspect the formatting of the YAML file is the problem.  Suricata is super picky about that format (as in which lines are indented and by how much).  That is how the parser decides what things are.  In your example above, try indenting the toserver values.

            Bill

            1 Reply Last reply Reply Quote 0
            • N
              ntct
              last edited by

              Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?

              I try the default value of profile_high, it still failed.

              #  - profile: {$detect_eng_profile}

              • profile: custom
              • custom-values:
                      toclient-src-groups: 15
                      toclient-dst-groups: 15
                      toclient-sp-groups: 15
                      toclient-dp-groups: 20
                      toserver-src-groups: 15
                      toserver-dst-groups: 15
                      toserver-sp-groups: 15
                      toserver-dp-groups: 40
                  - sgh-mpm-context: {$sgh_mpm_ctx}
                  - inspection-recursion-limit: {$inspection_recursion_limit}
                  - delayed-detect: {$delayed_detect}

              UPDATE

              I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.

              detect-engine = (null)
              detect-engine.0 = profile
              detect-engine.0.profile = high
              detect-engine.1 = sgh-mpm-context
              detect-engine.1.sgh-mpm-context = auto
              detect-engine.2 = inspection-recursion-limit
              detect-engine.2.inspection-recursion-limit = 3000
              detect-engine.3 = delayed-detect
              detect-engine.3.delayed-detect = no

              As long as I add any toclient or toserver options, it can't start anymore.

              21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>

              toclient or toserver options is line 136.

              21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>

              • inspection-recursion-limit: {$inspection_recursion_limit} is line 145  –-> ???

              Thanks,
              ntct

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @ntct:

                Hmm, I think so, How do you suspect the formatting of the YAML file is the problem? Command line or?

                I try the default value of profile_high, it still failed.

                #  - profile: {$detect_eng_profile}

                • profile: custom
                • custom-values:
                        toclient-src-groups: 15
                        toclient-dst-groups: 15
                        toclient-sp-groups: 15
                        toclient-dp-groups: 20
                        toserver-src-groups: 15
                        toserver-dst-groups: 15
                        toserver-sp-groups: 15
                        toserver-dp-groups: 40
                    - sgh-mpm-context: {$sgh_mpm_ctx}
                    - inspection-recursion-limit: {$inspection_recursion_limit}
                    - delayed-detect: {$delayed_detect}

                UPDATE

                I use command 'suricata -c suricata.yaml –dump-config' form my running interface's yaml, I don't see any toclient or toserver options.

                detect-engine = (null)
                detect-engine.0 = profile
                detect-engine.0.profile = high
                detect-engine.1 = sgh-mpm-context
                detect-engine.1.sgh-mpm-context = auto
                detect-engine.2 = inspection-recursion-limit
                detect-engine.2.inspection-recursion-limit = 3000
                detect-engine.3 = delayed-detect
                detect-engine.3.delayed-detect = no

                As long as I add any toclient or toserver options, it can't start anymore.

                21/9/2016 – 08:58:49 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 136: did not find expected key</error>

                toclient or toserver options is line 136.

                21/9/2016 – 09:14:27 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 145: mapping values are not allowed in this context</error>

                • inspection-recursion-limit: {$inspection_recursion_limit} is line 145  –-> ???

                Thanks,
                ntct

                That error message means you either do not have all the required parameters for the option, or the syntax is incorrect, or the option you are trying to use is not recognized or supported.  I am not familiar with that particular option, so I do not know if it is still valid or not.  You might want to go over to the Suricata site and ask there how to use those options.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.