How do I change a Suricata setting from the root command line?

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 23:59:21 GMT

stephenw10 — Thu, 14 Jan 2021 23:59:21 GMT

So pretty much "You don't" then.

Reply to How do I change a Suricata setting from the root command line? on Fri, 15 Jan 2021 00:00:56 GMT

bmeeks — Fri, 15 Jan 2021 00:00:56 GMT

@templateunheard said in How do I change a Suricata setting from the root command line?:

@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks

Suricata creates independent and unique config files for each running instance (as in each configured Suricata interface). The files are put in sub-directories underneath /usr/local/etc/suricata. There is a sub-directory there for each configured interface. The name of the interface is part of the directory name to help you identify them. Absolutely nothing in terms of configuration is loaded from the top-level /usr/local/etc/suricata directory. Those are just boilerplate config files distributed with the binary.

Editing the config files directly is strongly not recommended. As mentioned here, any change is temporary at best. Each time Suricata is restarted, the suricata.yaml file for the interface is recreated from the data stored for Suricata in the firewall's config.xml master configuration file. Ditto for any time you make any edit in the GUI for Suricata. Suricata can restart on its own without user intervention for many reasons, including something as simple as the daily rules update job executing and updating the rules.

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 22:42:43 GMT

stephenw10 — Thu, 14 Jan 2021 22:42:43 GMT

You probably want something in: /usr/local/etc/suricata

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 22:17:53 GMT

templateunheard — Thu, 14 Jan 2021 22:17:53 GMT

@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 22:14:46 GMT

stephenw10 — Thu, 14 Jan 2021 22:14:46 GMT

I would expect it to survive until the next time the Suricata config was generated which would be when a change is made is suricata or the complete pfSense config is reloaded.

Steve

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 22:08:20 GMT

templateunheard — Thu, 14 Jan 2021 22:08:20 GMT

@stephenw10 How long would that actually change it for? as in if I were to make this script run every x amount of time, how often would it have to run before it defaults? Thanks for the help steve

Reply to How do I change a Suricata setting from the root command line? on Thu, 14 Jan 2021 22:07:00 GMT

stephenw10 — Thu, 14 Jan 2021 22:07:00 GMT

You don't.

But if you really have to you might be able to change the conf file and restart the service.

As you read the Suricata conf file is generated from the main pfSense conf file so any chnage there would be temporary. Which might be OK in your situation.

Steve