How do I change a Suricata setting from the root command line?

templateunheard · Jan 14, 2021, 8:53 PM

I need to have a script that runs at intervals that changes based on a variable setting. How do I do that? I've looked and I'm having trouble finding the suricata settings and I also read something about how it wouldn't change anyway as pfsense write the whole config file each time? I may be wrong though. Thanks for any help

stephenw10 · Jan 14, 2021, 10:07 PM

You don't.

But if you really have to you might be able to change the conf file and restart the service.

As you read the Suricata conf file is generated from the main pfSense conf file so any chnage there would be temporary. Which might be OK in your situation.

Steve

templateunheard · Jan 14, 2021, 10:08 PM

@stephenw10 How long would that actually change it for? as in if I were to make this script run every x amount of time, how often would it have to run before it defaults? Thanks for the help steve

stephenw10 · Jan 14, 2021, 10:14 PM

I would expect it to survive until the next time the Suricata config was generated which would be when a change is made is suricata or the complete pfSense config is reloaded.

Steve

templateunheard · Jan 14, 2021, 10:17 PM

@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks

stephenw10 · Jan 14, 2021, 10:42 PM

You probably want something in: /usr/local/etc/suricata

bmeeks · Jan 15, 2021, 12:00 AM

@templateunheard said in How do I change a Suricata setting from the root command line?:

@stephenw10 Ok, thanks. Lastly, mind telling me where the suricata config file is? I need to change the IPS threat level setting on an interface but I can only find the installation config file. Thanks

Suricata creates independent and unique config files for each running instance (as in each configured Suricata interface). The files are put in sub-directories underneath /usr/local/etc/suricata. There is a sub-directory there for each configured interface. The name of the interface is part of the directory name to help you identify them. Absolutely nothing in terms of configuration is loaded from the top-level /usr/local/etc/suricata directory. Those are just boilerplate config files distributed with the binary.

Editing the config files directly is strongly not recommended. As mentioned here, any change is temporary at best. Each time Suricata is restarted, the suricata.yaml file for the interface is recreated from the data stored for Suricata in the firewall's config.xml master configuration file. Ditto for any time you make any edit in the GUI for Suricata. Suricata can restart on its own without user intervention for many reasons, including something as simple as the daily rules update job executing and updating the rules.

stephenw10 · Jan 14, 2021, 11:59 PM

So pretty much "You don't" then.