Suricata tls.store Logs Mgmt



  • When using rules with tls.store, the folder certs, is properly created under /var/log/suricata/interface/certs. The cert file and .meta file are stored, but Im unable to manage Log Size and Retention Limits, using the Logs Mgmt.

    Neither tls or Captured Files Retention Period options, of Logs Mgmt tab, affect those files/folder.

    What am I doing wrong ? ;)

    F.



  • You're doing nothing wrong.  It's my bad.  I don't think I have the code structured properly for that task.  I could make up some lame story, but I will just be honest… :-[.  I did not test that particular feature.  I assumed, incorrectly it appears, that it would save things using a scheme like the other logs.

    Can you post a screen shot of the folder showing the files that are in there?  That will help me create a fix.  If you have privacy concerns with a public post, send me a PM and I will send you my e-mail address.  It will help me immensely to see the folder structure and content created by those rules.

    Thanks,
    Bill

    P.S. -- you seem to be an advanced Suricata user based on your other posts here helping others.  I'm still a Suricata newbie.  I just learned enough to create the package and used a lot of the existing Snort package code to clone from.  So if you find something else that's not quite right, let me know.



  • Easier than that, just run this custom rule and visit a few https sites, the certs folder (var/log/suricata/suricata_interface/certs) will appear and populate. Its a catch all, no alert. You may need to enable TLS loggin on that interface too.

    alert tls any any -> any any (msg:"No Alert TLS Store"; tls.subject:"CN="; tls.store; noalert; classtype:policy-violation; sid:5216010; rev:3;)
    

    If it doesnt work, add gmail at my nick. Ill be glad to help.

    Thanks.

    F.



  • OK.  I will get this up and running in a VM and fix the code.  Give me a few days, though.  I have some other commitments that will consume some of my time.

    I have also been hoping that any day now the maintainer will update Suricata in the FreeBSD ports tree.  That's the flag I usually wait for before I submit an update to the pfSense Team.  They like to stay in-sync with FreeBSD ports.  Suricata 2.0.7 has been out for quite some time, but FreeBSD ports is still on 2.0.6.

    Bill



  • Sorry it took a little longer than I anticipated, but I did finally get around to replicating the problem and will have the fix in the next Suricata update.  I'm hoping that won't be too far in the future.  I'm waiting for FreeBSD ports to update to the 2.0.7 release.  If that continues to drag out, then I will just post a separate GUI package update to fix this log management problem.

    Bill


Log in to reply