Hi,
Is it possible to modify threshold.conf via the GUI? If not, are there plans to implement this?
Oh, and do modifications to /usr/local/etc/suricata/threshold.config survive an update of OPNsense?
In my experience, the script/cron-job that runs the OPNSense rule update via policy replaces several key files in the /usr/local/etc/suricata folder, and I believe threshold.conf is one of them
At the very least, when you do a rule build generally it is supposed to create or update that file from what I've learned with 'suricata-update' (the slightly more natural way to update rules). Will say, I feel like I only know the shallow end of the pool here, so, what actually happens and what is supposed to happen with threshold.conf is a bit unknown to me.
If you are wanting to get into more customization of Suricata and possibly use the natural stack of suricata to do things, possibly including using 'suricata-update' to make your rules files and such then please check out a blog post I made.
Using Suricata-Update on OPNSense (https://www.nova-labs.net/using-suricata-update-on-opnsense/)
Follow this guide will have you turn off OPNSense's policy based rule update process and in this, you will get full control over the threshold.conf file. As already mentioned, how it gets created, and how it persists within the natural suricata/suricata-update space is still something I'm exploring.