Configuring SID Management on pfSense/Suricata limited to 4 config files.



  • I'm somewhat new to using pfsense and suricata. I have my WAN configured with legacy mode blocking and the Block on DROP only option selected. I would use the inline mode, but it crashes my router every time. I've configured my SID management config files the way I want them for my WAN interface and have been running for a little while with no problems.

    I'm trying to set up a different set of SID management config files to use on other interfaces, but I find that if I try to add more than 4 config files, it overwrites the top config.

    Is there a way to add more than 4 config files, either through the web gui or through ssh? Or is there a way to specify in one config file which set of rules apply to which interface for the SID Management?

    I'm using pfsense 2.4.4-RELEASE-p3 on a Netgate xg-7100-1U with Suricata 4.1.4_8.



  • Let me test in a virtual machine and see if I can reproduce your issue. The design of the code should allow for an almost unlimited number for SID configurations to be created and saved without any new ones overwriting old ones.



  • I just tested using Suricata_4.1.4_8 on a pfSense-2.5 DEVEL virtual machine and could not reproduce your issue. Here is a screenshot from the VM showing 9 SID management lists, 5 of which I created and saved manually. You can see that from the values in the Last Modified Time column.

    SIDLists.png

    What version of the Suricata package are you running and what are the exact steps you are using when creating a new SID management list?



  • *** Edited to add screen shots, reproducing the problem ***

    Ok, I think I have figured it out and have it reproduceable. This was happening the same way on both Suricata 4.1.4_5 and 4.1.4_8 on pfSense 2.4.4-RELEASE-p3.

    The default package has the SID Management files in the following order:

    disablesid-sample.conf
    dropsid-sample.conf
    modifysid-sample.conf
    enablesid-sample.conf

    I originally changed the disablesid and dropsid configurations for my wan interface and named them wan_disablesid.conf and wan-dropsid.conf. The modifysid and enablesid sample files were still there. I then tried to click add to create a new file for my lan interface with disablesid and dropsid. When I would try and create a new sid, it was overwriting the top config file. So this:

    step1.jpg

    changed to this:

    step2.jpg

    step3.jpg

    But, when I reset it back to the way I had it, then modify the names of the 2 remaining sample conf files, it would then let me add a 5th config file. So this:

    step4.jpg

    changed to this:

    step5.jpg

    Then added a test conf file changed it to this:

    step6.jpg

    Then I deleted the test.conf and renamed the modifysid and enablesid files back to the sample names, and it was overwriting the first conf file again.

    I can try and capture some screenshots if that would help. My issue appears resolved now, though. I fought with trying to figure out what adding a 5th file was overwriting the first for the last 4 or 5 hours.



  • I'm sorry @sgnoc, but I could not follow what you are saying in your last post.

    I just started up one of my test virtual machines with Suricata installed on it, went to the SID MGMT tab and there were only four files showing. I then clicked Add five different times and created the five files showing with the August 28 date and time.

    The name of a file should not matter.

    You end up by saying your issue is resolved now. But you don't say how it was resolved.



  • Sorry, I'll try to clarify. So with the default configuration, I only modified the first 2 files in the SID Management list, which were the disablesid and dropsid files. They were saved with new names. After that, I tried adding a new file. When I saved the new file, it overwrote the disablesid file (which was the first file in the list).

    I don't know why it was happening, but it seemed to be an issue with just the names of the files. As soon as I removed the "-sample" from the last 2 files (enablesid and modifysid), then it would allow me to add the 5th file without overwriting the top file.

    I went back and added screen shots, if that might help clear things up. You can follow the time stamps in the modified time.

    After I removed "-sample" from the 3rd and 4th files, it is adding new files properly. If I removed the extra files (only keeping the top 4) and then changed the last 2 files back to the original names (with "-sample"), the overwriting happened again.

    The only thing I did to resolve the issue was to change the 3rd and 4th file names, removing "-sample".



  • Okay. I'll repeat my tests with new data trying to replicate the problem.



  • @sgnoc said in Configuring SID Management on pfSense/Suricata limited to 4 config files.:

    Sorry, I'll try to clarify. So with the default configuration, I only modified the first 2 files in the SID Management list, which were the disablesid and dropsid files. They were saved with new names. After that, I tried adding a new file. When I saved the new file, it overwrote the disablesid file (which was the first file in the list).

    I don't know why it was happening, but it seemed to be an issue with just the names of the files. As soon as I removed the "-sample" from the last 2 files (enablesid and modifysid), then it would allow me to add the 5th file without overwriting the top file.

    I went back and added screen shots, if that might help clear things up. You can follow the time stamps in the modified time.

    After I removed "-sample" from the 3rd and 4th files, it is adding new files properly. If I removed the extra files (only keeping the top 4) and then changed the last 2 files back to the original names (with "-sample"), the overwriting happened again.

    The only thing I did to resolve the issue was to change the 3rd and 4th file names, removing "-sample".

    I still was unable to reproduce the behavior you describe. I started off with just the four *-sample.conf files showing the list. I edited the first one (the disablesid-sample.conf file) and in the edit dialog changed the name to disablesid.conf and saved the new file. I then repeated the action with the enablesid-sample.conf file renaming it toenablesid.conf and saving. So at that point I had these files showing in the list: disablesid.conf, enablesid.conf, modifysid-sample.conf and dropsid-sample.conf.

    I then clicked the Add button and added a new fifth file named SID Test 1 without it overwriting any of the other entries. Just to be sure, I then clicked Add again and created a sixth new file named sidtest.conf without it overwriting any previous entries.



  • @bmeeks That's exactly what I did, except it overwrote the first file instead of creating a 5th. I'm not sure why. I can still change the names back and can get it to reproduce the same problem.

    Thanks for the help. At least I'm now able to add the extra conf files that I needed.


Log in to reply