Bug #3270
closedconf files not found for suricata-update
Added by Rahul Surya about 5 years ago. Updated over 4 years ago.
Description
i am trying to install suricata-4.1.4 and default installing with suricata-update feature .After "make install-full" , I am seeing the updated rules,suricat.yaml file present in /etc/suricata location . But i never seen the related files for "suricat-update" update.yaml file,disable.conf ,enable.conf etc... And in suricat-update doc mentioned , by default rule managing configurations like disable.conf will be taken from /etc/suricata/disable.conf ,but that conf file is not present.
Files
suricata_update_log.txt (16.4 KB) suricata_update_log.txt | Rahul Surya, 10/23/2019 08:59 AM |
Updated by Jason Ish about 5 years ago
Correct, these files are not created by default, but maybe its something we should consider. The documentation does contain samples though:
https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-files
You can also dump these samples to disk with the following command:
suricata-update --dump-sample-configs
which will place a copy of each in your current directory.
Please note that the dumped update.yaml is an example, and is not suitable for use as-is. It will have to be updated before it can be used as a template that is installed by default.
Updated by Rahul Surya about 5 years ago
So here when we run "suricata-update" from which location the disable.conf will be taken from current location of dumped files or from /etc/suricata/ or do we have to mention everytime the flag with disable.conf path like "suricata-update --disable-conf="path of file"".
Updated by Shivani Bhardwaj about 5 years ago
Rahul Surya wrote:
So here when we run "suricata-update" from which location the disable.conf will be taken from current location of dumped files or from /etc/suricata/ or do we have to mention everytime the flag with disable.conf path like "suricata-update --disable-conf="path of file"".
It will by default look into /etc/suricata unless specified by the flag. You can use -v option to see which configuration is it picking up at the time of run.
Updated by Rahul Surya about 5 years ago
- File suricata_update_log.txt suricata_update_log.txt added
Attached log file of suricata-update .I don't have any disabled conf file ,but i am not getting is how come some of logs showing that rules got disabled.From where the conf is reading.
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dhcp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto tftp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto krb5
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto ntp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto modbus
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto enip
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dnp3
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto nfs
Updated by Shivani Bhardwaj about 5 years ago
Rahul Surya wrote:
Attached log file of suricata-update .I don't have any disabled conf file ,but i am not getting is how come some of logs showing that rules got disabled.From where the conf is reading.
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dhcp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto tftp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto krb5
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto ntp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto modbus
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto enip
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dnp3
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto nfs
These are due to settings in your suricata configuration (/etc/suricata/suricata.yaml ?). This is disabling the application layer protocols that have not been enabled by suricata.
Updated by Rahul Surya about 5 years ago
one more doubt while fetching files from suricata-update all rules are merged into one file suricata.rules file.Can it be made as seperate files like emerging-icmp.rules,emerging-tcp.rules etc.
Updated by Shivani Bhardwaj about 5 years ago
Rahul Surya wrote:
one more doubt while fetching files from suricata-update all rules are merged into one file suricata.rules file.Can it be made as seperate files like emerging-icmp.rules,emerging-tcp.rules etc.
Yes, you could use the "--no-merge" option.
Updated by Rahul Surya about 5 years ago
what i observed is , I am doing rule-reload by giving a flag to suricata-update . If i made a drop rule for icmp and running traffic and changed that rule to alert and did rule reload ,the current running traffic is still dropping but it should flow right.
Updated by Rahul Surya about 5 years ago
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Updated by Jason Ish about 5 years ago
Rahul Surya wrote:
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
suricata-update --disable-conf /path/to/disable.conf ...
Updated by Rahul Surya about 5 years ago
Rahul Surya wrote:
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
suricata-update --disable-conf /path/to/disable.conf
Yeah I checked this one .For disabling or enabling my created own rule file, i am using the command like
suricata-update --local=<filename or directory>
without mentioning --local option its not working.
Jason Ish wrote:
Rahul Surya wrote:
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
[...]
Updated by Rahul Surya about 5 years ago
Rahul Surya wrote:
Rahul Surya wrote:
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
suricata-update --disable-conf /path/to/disable.conf
Yeah I checked this one .For disabling or enabling my created own rule file, i am using the command like
suricata-update --local=<filename or directory>
without mentioning --local option its not working.Jason Ish wrote:
Rahul Surya wrote:
I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.
Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
[...]
can u check this one,
I am doing rule-reload by giving a flag to suricata-update . If i made a drop rule for icmp and running traffic and changed that rule to alert and did rule reload ,the current running traffic is still dropping but it should flow right.
Updated by Shivani Bhardwaj about 5 years ago
Hi Rahul!
Sorry about getting back late on this. Could you please give some more description? Preferably the rule that you're trying to work on, your disable.conf, the commands you are using and the procedure? We may be able to help you then.
Updated by Shivani Bhardwaj about 5 years ago
- Status changed from New to Assigned
Updated by Shivani Bhardwaj over 4 years ago
Closing due to inactivity on this issue for a long time. Please create a new issue in case the problem persists.
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from Assigned to Closed