Bug #7595
closed
suricata custom SID Mgmt configuration missing after full system restore
0%
Description
Decided to try 2.4 today. I first tried building a new ZFS VM and attempted to restore my config to a clean system. Had quite a few issues during this process such as unrestored config, unbound failures, missing packages, etc.
After restoring my 2.3.5 config to a freshly installed 2.4.0 snapshot I noticed that my SID management customizations were not present. I had to manually restore the files to /var/db/suricata/sidmods and reapply SID customization config to get my customizations back in working order.
It seems that sidmods aren't backed up with the rest of the configuration so aren't restored as expected.
Affected versions:
suricata 3.2.1_1
2.4.0-BETA (amd64)
built on Sat May 20 19:05:22 CDT 2017
FreeBSD 11.0-RELEASE-p10
Updated by John Silva almost 7 years ago
Sorry, should have filed this under pfSense-Packages.
Updated by Bill Meeks almost 7 years ago
This is admittedly not optimal, but it is by design (by default). This is because all of the firewall configuration is stored in a single XML file, the config.xml file. That is the file that gets backed up when you do a backup, and that is the single file that is restored when you restore a previous configuration.
Packages store some of their configuration in that XML file, but some packages like Snort, Suricata, pfBlockerNG and others also have their own individual text files to hold data that is not stored in the config.xml firewall configuration file. The SID Management files of Snort and Suricata are an example. The firewall's backup processes have no knowledge of these extra text files and thus do not back them up. Backing up and restoring those is left to the user. Perhaps if there is enough interest, the pfSense developers might consider offering some kind of API where packages could register additional files to be backed up along with the config.xml file.
Bill
Updated by John Silva almost 7 years ago
Appreciate the response, Bill.
It would be good to have an API where packages can mark files/directories for backup - this would fit nicely with the principle of least surprise.
Updated by Jim Pingle over 4 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from Upgrade to Suricata
- Status changed from New to Not a Bug
Updated by Bill Meeks over 4 years ago
This is no longer an issue with either the Suricata or Snort packages. Both packages now have the SID MGMT lists stored within the appropriate package section of the firewall's config.xml file as Base64 encoded strings.
So SID management configuration settings are now stored along with all of the other IDS/IPS configuration parameters, and they will thus be restored when a previous config.xml file is restored.