4. Suricata - Advanced Configuration pass through not working

Suricata - Advanced Configuration pass through not working

  • J

    I have recently setup  Suricata and found many alerts related to  Streaming traffic.  After a bit of googling  I found that there is a stream paratemeter that could be tuned

    stream:  max-synack-queued : 5 The default is 5 and I am looking to increase this value and I presume the advanced configuration pass through will be the place to do it. But when I put this in nothing seems to be happening. 
    The configuration file created by pfsense at /usr/pbi/suricata-amd64/etc/suricata/suricata_47436_pppoe0/suricata.yaml does not include this parameter.  Am I missing a trick or is there a bug?

    I have manually edited this file and the new value has been picked up, but this will be lost as soon as I make any change in the configuration using the GUI.. I would like a permanent solution.

    0

  • I will need to check on this.  I think the pass-through gets very little use, so problems there can go unnoticed for quite a while.  Note that future Suricata action in terms of updates will be happening primarily on the pfSense 2.3 branch.  Serious bugs can be still be fixed on the 2.2.x branch, though.

    Here is a workaround in the meantime –

    Edit the file /usr/local/pkg/suricata/suricata_yaml_template.inc

    Find this section in the file and add your custom parameter as shown:

    
stream:
  memcap: {$stream_memcap}
  checksum-validation: no
  inline: auto
  max-sessions: {$stream_max_sessions}
  prealloc-sessions: {$stream_prealloc_sessions}
  midstream: {$stream_enable_midstream}
  async-oneside: {$stream_enable_async}
  max-synack-queued : 5

    Save the change.  Be very careful and DO NOT change anything inside the curly braces.  Those are system variables whose content is substituted when the suricata.yaml file is generated from this template.  The change I show will cause your custom stream parameter to be inserted into the suricata.yaml file for every Suricata interface each time the file is regenerated.

    Edit:  added workaround fix

    Bill

    0
  • J

    many Thanks. This works now.

    0

  • By the way, this parameter (max-synack-queued) is now configurable in the GUI for an interface on Suricata 3.0 in pfSense 2.3-BETA.

    Bill

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy