1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Suricata SIP errors loading rules

Suricata SIP errors loading rules

  • B

    My logs have this error all over the place:

    Variable "SIP_SERVERS" is not defined in configuration file

    I noticed there isn't a way to configure this as these variables are omitted. What's the correct solution to this?

    0
  • bmeeks

    You can manually add the required values to the YAML configuration template file.  Note that this will have to be repeated each time you update the Suricata package as the template file is always overwritten with a new update (like when you install a package update from the Package Manager).

    Find this file and open it in an editor of choice:

    /usr/local/pkg/suricata/suricata_yaml_template.inc

    Near the bottom of the file you will find this section of code:

    
# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[{$home_net}]"
    EXTERNAL_NET: "{$external_net}"
    {$addr_vars}

  # Holds the port group vars that would be passed in a Signature.
  port-groups:
    {$port_vars}

    Be very careful not to disturb any existing lines of text (code)!  Add a new line for your SIP_SERVERS as shown below:

    
# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[{$home_net}]"
    EXTERNAL_NET: "{$external_net}"
    {$addr_vars}
    SIP_SERVERS ["what ever IP addresses or networks are appropriate for your setup"]

  # Holds the port group vars that would be passed in a Signature.
  port-groups:
    {$port_vars}

    The information in the template file is used to build the suricata.yaml configuration file for each configured interface.  Be very careful when editing and don't change any of the other lines.  That includes spaces or tab indents!  Suricata is very finicky!  You will just be adding this one line in the place shown above.

    SIP_SERVERS ["some IP addresses or networks"]

    I will put the inclusion of the SIP_SERVERS variable on my TODO list for a future update so that it is available within the GUI.

    EDIT:  Forgot to say that after making the changes in the template file above, you will need to go to the INTERFACE SETTINGS tab and "edit" the interface so you can do a Save operation.  Clicking the Save button will cause the suricata.yaml file for the interface to be regenerated using the newly modified template.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy