How do I change suricata.yaml and get it to stick

Started by someone, June 08, 2024, 11:04:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 08, 2024, 11:04:05 PM
I delete the yaml and put in a new one and reboot and its back to the old yaml, how do I change this behavior so I can edit the yaml file
July 27, 2024, 07:39:50 AM #1 Last Edit: July 27, 2024, 07:41:43 AM by jonny5
While I do not have a solution, I did want to mention you can edit
Code Select
/usr/local/etc/suricata/custom.yaml and then simply restart the service and have that change be used and stay for a while. You can even replace the "host-os-policy:" area here it seems, and enable additional features in "app-layer" that are normally disabled by default.

If you use the OPNSense IDS Administration GUI, set a Policy, or enable or disable a feature or Rule, the back-end actions will over write your custom.yaml file with the one found at
Code Select
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml and luckily you can modify that file a little and have it work or at least in the past you could - I am currently having some difficulty there.

If you change the /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file at all it appears it will have a generation failure that shows up in the OPNSense IDS Admin GUI. If you delete the /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file, it will have a generation failure.

In short, currently, there is no way to do it.

Default settings are good, I want to customize some XFF output and have that stay around

A supported "custom.yaml" file where ideally you could over-write/replace all and add to suricata.yaml set options (in short you could replace most if not all the existing settings and/or add to them would be amazing.
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
July 27, 2024, 07:44:13 AM #2
Generation error message example
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
October 09, 2024, 04:07:06 AM #3
Thanks, I no longer want to edit the yaml file
Opnsense with suricata is working great
There is a learning curve
Thanks Opnsense too
October 14, 2024, 01:34:56 AM #4 Last Edit: October 18, 2024, 12:07:56 AM by someone
My ISP uses DHCP so I dont really have a static IP though its ususally the same
I saw a static IP box in opnsense but havnt found it again to try yo use it or see what it is
Yes its under interface - WAN
I couldnt enter anything in it and was blocked out of it
Because set up is DHCP
And the reason I want to look at it is to see if that enters your IP into the IPS rules or is defined as such
So I dont have to change all the rules
No access to the suricata yaml is also a good thing due to bad guys
I can live with changing the rules, I have done it so many times now
it only takes about 45 minutes, as I also make my own blocklists
Just dont block your IP like I did, but found it pretty easy with search
I presently get a threat every 5 seconds, mostly bots, but they are hacking bots
Looking for a way in
Print
Go Up Pages1
User actions