Suricata Configuration



  • Hi all

    pfsense tech support needs me to troubleshoot a possible hardware problem I might have with my SG-2220 box by resetting and installing a new instance of pfsense to see if my issue persists…

    Does anyone happen to know how I can backup the configuration of my Suricata ruleset that took me about 2 days to configure initially and then about 5 weeks or so to finely-tune out the false positives?

    I hope this isn't a dumb question...it makes me ill thinking I might have to go through that again since I have to reset and reinstall pfsense...thank you all :)



  • Your Suricata rule set is saved within the config.xml file that stores all of the firewall's configuration information.  When you restore the config backup, the Suricata configuration will come with it.  The only things that will not are any automated SID managment files you may have imported or created on the SID MGMT tab within Suricata.  However, you can easily download any of those files to a local PC and then upload them back when you restore the firewall.

    Bill



  • Thank you bill, I appreciate this!  Thank goodness I don't have any SID rules to complicate this!

    To make sure I don't mess this up, should I do the following…?

    1  Create a backup file config.xml to my Desktop of my current configuration
    2  Console in to my SG-2220 using Putty and reset my configuration
    3  Plug in my usb drive that contains pfsense v.2.3.2 ISO on it
    4  Restart the router so it will automatically install/reinstall all files
    5  Go through the initial GUI pfsense setup through my browser
    6  Reinstall Suricata again from the Package Manager
    7  Put in my Snort OINK code and download all rules packages
    8  Lastly, restore my config.xml which will bring back my pfsense configuration AND also restore the Suricata rules configuration

    Is the above accurate "to a tee"?  Thank you



  • You can skip the OINK code part of step #7.  That will automatically happen when you restore the config.  The only manual thing you will do after restoring the config is go to the UPDATES tab and force a rules package update.  So swap steps 7 and 8 in your plan, and you don't have to manually input your OINK code.

    I'm not 100% sure, but I seem to recall that on a config restore pfSense would reinstall the packages.  Been a very long time since I've done that (all the way back to 2.0.x something or other).  Perhaps some of the pfSense veterans can elaborate on this.

    Other than my two comments above, sounds like you have a plan for success.

    Bill



  • Oh wow, great news on pfsense reinstalling my packages automatically, thank you Bill, I really appreciate your help very much!



  • @userjanuary2017:

    Oh wow, great news on pfsense reinstalling my packages automatically, thank you Bill, I really appreciate your help very much!

    As I said, I'm not 100% sure on that point, but I believe it used to do that.  If you have pfSense paid support, they can verify that point for you in case I am mistaken.

    Bill


Log in to reply