Disable sid sidmgmt error in system logs



  • Hi folks,

    running pfsense 2.4 and the latest suricata package (via package manager).  After upgrading I'm getting this error in the system logs:

    suricata_check_for_rule_updates.php: [Suricata] Error - unable to open 'disable_sid_file' "disablesid.conf" specified for LAN

    did i lose a configuration file during upgrade? Is there somewhere I can find this file?

    JJ



  • @repomanz:

    Hi folks,

    running pfsense 2.4 and the latest suricata package (via package manager).  After upgrading I'm getting this error in the system logs:

    suricata_check_for_rule_updates.php: [Suricata] Error - unable to open 'disable_sid_file' "disablesid.conf" specified for LAN

    did i lose a configuration file during upgrade? Is there somewhere I can find this file?

    JJ

    The short answer is likely "yes", you lost a config file during the upgrade.  This is assuming you had configured and were previously using files on the SID MGMT tab.  Those files are saved in /var/db/suricata/sidmods.  Those files are not automatically saved during a config backup/restore operation.  What upgrade to you mean?  Was it pfSense 2.3.x to 2.4.0, or was is just an upgrade of the Suricata package?

    Sounds like something wiped out that directory and the files in it on your box.  Was the /var partition perhaps on a RAMDISK?  If so, you should not use RAMDISKS with Suricata or Snort as they store needed config files for the SID MGMT tab on that partition.

    You can either recreate the file, restore it from some other offline location (I save a copy of mine on a Windows PC), or turn off that file on the SID MGMT tab by setting the drop-down selector value to none.

    Bill



  • Hi Bill - yes I had gone from 2.3 > 2.4 and then updated the suricata package.  Somewhere in this process i guess i lost that file.  Luckily i had the post bookmarked so grabed the disabled entries.  I'll make a backup now :)


  • Banned

    @bmeeks:

    Those files are saved in /var/db/suricata/sidmods.  Those files are not automatically saved during a config backup/restore operation.

    Is there any reason why's this not saved base64-encoded in config.xml? It's annoying, the disablesid.conf is pretty important piece of configuration to avoid tons of FPs.



  • @doktornotor:

    @bmeeks:

    Those files are saved in /var/db/suricata/sidmods.  Those files are not automatically saved during a config backup/restore operation.

    Is there any reason why's this not saved base64-encoded in config.xml? It's annoying, the disablesid.conf is pretty important piece of configuration to avoid tons of FPs.

    Well, I was leery of making the config.xml too large by including what could potentially be a lot of text.  The ideal solution would be an API within pfSense itself where packages could register files to be included in automatic config backups.  Other packages store large text files locally as well (pfBlockerNG does, I think).

    Bill


Log in to reply