Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How do I change suricata.yaml and get it to stick
« previous
next »
Print
Pages: [
1
]
Author
Topic: How do I change suricata.yaml and get it to stick (Read 2246 times)
someone
Full Member
Posts: 115
Karma: 2
How do I change suricata.yaml and get it to stick
«
on:
June 08, 2024, 11:04:05 pm »
I delete the yaml and put in a new one and reboot and its back to the old yaml, how do I change this behavior so I can edit the yaml file
Logged
jonny5
Newbie
Posts: 35
Karma: 3
Re: How do I change suricata.yaml and get it to stick
«
Reply #1 on:
July 27, 2024, 07:39:50 am »
While I do not have a solution, I did want to mention you can edit
Code:
[Select]
/usr/local/etc/suricata/custom.yaml
and then simply restart the service and have that change be used and stay for a while. You can even replace the "host-os-policy:" area here it seems, and enable additional features in "app-layer" that are normally disabled by default.
If you use the OPNSense IDS Administration GUI, set a Policy, or enable or disable a feature or Rule, the back-end actions will over write your custom.yaml file with the one found at
Code:
[Select]
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml
and luckily you can modify that file a little and have it work or at least in the past you could - I am currently having some difficulty there.
If you change the
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml
file at all it appears it will have a generation failure that shows up in the OPNSense IDS Admin GUI. If you delete the
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml
file, it will have a generation failure.
In short, currently, there is no way to do it.
Default settings are good, I want to customize some XFF output and have that stay around
A supported "custom.yaml" file where ideally you could over-write/replace all and add to suricata.yaml set options (in short you could replace most if not all the existing settings and/or add to them would be amazing.
«
Last Edit: July 27, 2024, 07:41:43 am by jonny5
»
Logged
jonny5
Newbie
Posts: 35
Karma: 3
Re: How do I change suricata.yaml and get it to stick
«
Reply #2 on:
July 27, 2024, 07:44:13 am »
Generation error message example
Logged
someone
Full Member
Posts: 115
Karma: 2
Re: How do I change suricata.yaml and get it to stick
«
Reply #3 on:
October 09, 2024, 04:07:06 am »
Thanks, I no longer want to edit the yaml file
Opnsense with suricata is working great
There is a learning curve
Thanks Opnsense too
Logged
someone
Full Member
Posts: 115
Karma: 2
Re: How do I change suricata.yaml and get it to stick
«
Reply #4 on:
October 14, 2024, 01:34:56 am »
My ISP uses DHCP so I dont really have a static IP though its ususally the same
I saw a static IP box in opnsense but havnt found it again to try yo use it or see what it is
Yes its under interface - WAN
I couldnt enter anything in it and was blocked out of it
Because set up is DHCP
And the reason I want to look at it is to see if that enters your IP into the IPS rules or is defined as such
So I dont have to change all the rules
No access to the suricata yaml is also a good thing due to bad guys
I can live with changing the rules, I have done it so many times now
it only takes about 45 minutes, as I also make my own blocklists
Just dont block your IP like I did, but found it pretty easy with search
I presently get a threat every 5 seconds, mostly bots, but they are hacking bots
Looking for a way in
«
Last Edit: October 18, 2024, 12:07:56 am by someone
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How do I change suricata.yaml and get it to stick