Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - Advanced Configuration pass through not working

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jkmuk
      last edited by

      I have recently setup  Suricata and found many alerts related to  Streaming traffic.  After a bit of googling  I found that there is a stream paratemeter that could be tuned

      stream:  max-synack-queued : 5 The default is 5 and I am looking to increase this value and I presume the advanced configuration pass through will be the place to do it. But when I put this in nothing seems to be happening. 
      The configuration file created by pfsense at /usr/pbi/suricata-amd64/etc/suricata/suricata_47436_pppoe0/suricata.yaml does not include this parameter.  Am I missing a trick or is there a bug?

      I have manually edited this file and the new value has been picked up, but this will be lost as soon as I make any change in the configuration using the GUI.. I would like a permanent solution.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        I will need to check on this.  I think the pass-through gets very little use, so problems there can go unnoticed for quite a while.  Note that future Suricata action in terms of updates will be happening primarily on the pfSense 2.3 branch.  Serious bugs can be still be fixed on the 2.2.x branch, though.

        Here is a workaround in the meantime –

        Edit the file /usr/local/pkg/suricata/suricata_yaml_template.inc

        Find this section in the file and add your custom parameter as shown:

        
stream:
  memcap: {$stream_memcap}
  checksum-validation: no
  inline: auto
  max-sessions: {$stream_max_sessions}
  prealloc-sessions: {$stream_prealloc_sessions}
  midstream: {$stream_enable_midstream}
  async-oneside: {$stream_enable_async}
  max-synack-queued : 5

        Save the change.  Be very careful and DO NOT change anything inside the curly braces.  Those are system variables whose content is substituted when the suricata.yaml file is generated from this template.  The change I show will cause your custom stream parameter to be inserted into the suricata.yaml file for every Suricata interface each time the file is regenerated.

        Edit:  added workaround fix

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          jkmuk
          last edited by

          many Thanks. This works now.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            By the way, this parameter (max-synack-queued) is now configurable in the GUI for an interface on Suricata 3.0 in pfSense 2.3-BETA.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.