pfSense » pfSense Packages

Please, use the pre button to post code/command output. This is just unreadable mess.

This is just ... mess.

Interesting wording, that's what I thought of the feature.

Description

• Issue: Advanced Configuration Pass-Through not working under pfSense > Services > Suricata > Edit Interface Settings - WAN (I'm using the WAN interface)
  Pfsense Version: 2.3.2-Release
  Suricata Version: 3.1.2_2

• Add the Suricata Service
• Edit either of the two .yaml files available in the shell (as root)
  

  find / -name '*.yaml'

  
  

  /usr/local/etc/suricata/suricata.yaml
  /usr/local/etc/suricata/suricata_20934_ix1/suricata.yaml
  

• Edit with vi, save.
• Reload Suricata
  Suricata reloads, and rebuilds configuration files from Pfsense options (notice the time stamps):
  

  rwxr-xr-x 3 root wheel 512 Feb 18 02:04 .
  drwxr-xr-x 4 root wheel 512 Feb 18 02:04 ..
  rw-r--r- 1 root wheel 2888 Feb 18 16:49 classification.config
  rw-r--r- 1 root wheel 185 Feb 18 16:49 passlist
  rw-r--r- 1 root wheel 1332 Feb 18 16:49 reference.config
  drwxr-xr-x 2 root wheel 512 Feb 18 02:04 rules
  rw-r--r- 1 root wheel 2485735 Feb 18 16:49 sid-msg.map
  ** rw-r--r- 1 root wheel 8927 Feb 18 16:49 suricata.yaml**
  rw-r--r- 1 root wheel 0 Feb 18 16:49 threshold.config
  rw-r--r- 1 root wheel 53841 Feb 18 16:49 unicode.map
  
  drwxr-xr-x 3 root wheel 512 Feb 18 02:04 .
  drwxr-xr-x 4 root wheel 512 Feb 18 02:04 ..
  rw-r--r- 1 root wheel 2888 Feb 18 17:10 classification.config
  rw-r--r- 1 root wheel 185 Feb 18 17:10 passlist
  rw-r--r- 1 root wheel 1332 Feb 18 17:10 reference.config
  drwxr-xr-x 2 root wheel 512 Feb 18 02:04 rules
  rw-r--r- 1 root wheel 2485735 Feb 18 17:10 sid-msg.map
  **rw-r--r- 1 root wheel 8927 *Feb 18 17:10 suricata.yaml**
  rw-r--r- 1 root wheel 0 Feb 18 17:10 threshold.config
  rw-r--r- 1 root wheel 53841 Feb 18 17:10 unicode.map
  

* Check the loaded configuration: ps auxwww | grep suricata

root 52501 0.1 1.3 561304 418060 - Ss 5:10PM 0:11.72 /usr/local/bin/suricata -i ix1 -D -c /usr/local/etc/suricata/suricata_20934_ix1/suricata.yaml --pidfile /var/run/suricata_ix120934.pid

• Contents of Advanced Configuration Pass-Through not parsed into the new suricata.yaml configuration file, after reload

• Add the configuration to Services > Suricata > Edit Interface Settings - WAN (I'm using the WAN interface)> Advanced Configuration Pass- Through

• Recheck the /usr/local/etc/suricata/suricata_20934_ix1/suricata.yaml file
  

  cat /usr/local/etc/suricata/suricata_20934_ix1/suricata.yaml
  

• The added configuration does not load the Advanced Configuration Pass-Through contents.

This what I have in Advanced Configuration Pass - Through:

threading:
set-cpu-affinity: yes
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 1 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ "2" ]
mode: "balanced" 
- stream-cpu-set:
cpu: [ "0-3" ]
- detect-cpu-set:
cpu: [ "4,6" ]
mode: "exclusive" # run detect threads in these cpus # Use explicitely 3 threads and don't compute number by using # detect-thread-ratio variable:
threads: 3
prio:
low: [ "0-3" ]
medium: [ "5-7" ]
default: "medium" 
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high" 
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low" 
- output-cpu-set:
cpu: [ "0" ]
prio:
default: "medium" 

detect:
profile: custom
custom-values:
toclient-groups: 200
toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000

• Notice the suricata.yml file actual contents attached (does not include the added configuration in Advanced Configuration Pass-Through

The first tune for cpu-affinity (threading) found here: https://home.regit.org/2011/01/optimizing-suricata-on-a-multicore-cpu/
The second tune for Memory found here: http://suricata.readthedocs.io/en/latest/performance/high-performance-config.html

Hardware:

hw.model: Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
hw.machine: amd64
hw.ncpu: 8
real memory = 34359738368 (32768 MB)
avail memory = 33147830272 (31612 MB)

Result:
Pfsense is not parsing commands in the pfSense > Services > Suricata > Edit Interface Settings Advanced Configuration Pass-Through input.

• Users unable to tune advanced features in the Suricata configuration for Branch/Office Hardware

OK... So, this is the code that's handling that in Snort:
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc#L3496
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_generate_conf.php#L47
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_conf_template.inc#L102

Considering there's just nothing like that in suricata, I cannot see how would it ever work, LOL.
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata.inc#L3599
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_generate_yaml.php - nothing there
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_yaml_template.inc - nothing there

LMFAO~!

Is there a workaround you can suggest?

Thanks for the update!

Well the above should give you a hint on what to add where. LOL. :-P

This package is actively maintained by https://github.com/bmeeks8?tab=activity, so I'd rather wait a bit before messing with that myself. (Also, the YAML thing is way more sensitive than snort.conf when it comes to producing invalid config, not really keen on touching this beast...)

I will make some time to check into this. I had not realized the Advanced Pass-Through code was missing in Suricata. It may have gotten lost during the Bootstrap conversion.

Bill

Hi all,

i just run into this bug as i was testing configs for an other feature i'm currently developing for suricata package. So i decided to quickly fix it. PR: https://github.com/pfsense/FreeBSD-ports/pull/364

Greetings,
Julian aka securitym0nkey