Suricata VARS

[tuamortemo]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16-32

RAM

16-32

Storage for /

200-300 GB

Storage for /nsm

1 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello!

After upgrading to version 2.4.80, I noticed a problem with changing the EXTERNAL NET in web-interface configuration. After entering the parameter !$HOME_NET and synchronization via the cli command "salt sensor-*_sensor state.apply suricata" In the output to the suricata file.yaml was recorded only first symbol "!"

Example:

---

      ID: suriconfig
Function: file.managed
    Name: /opt/so/conf/suricata/suricata.yaml
  Result: True
 Comment: File /opt/so/conf/suricata/suricata.yaml updated
 Started: 10:57:17.323680
Duration: 45.266 ms
 Changes:
          ----------
          diff:
              ---
              +++
              @@ -15,7 +15,7 @@
               vars:
                 address-groups:
                   HOME_NET: '[192.168.0.0/16,10.87.0.0/16,10.85.0.0/16]'
              -    EXTERNAL_NET: '"'
              +    EXTERNAL_NET: '!'
                   HTTP_SERVERS: $HOME_NET
                   SMTP_SERVERS: $HOME_NET
                   SQL_SERVERS: $HOME_NET

After that, I compared the new sensor and the old one that was deployed on an earlier version and saw the difference in the files
/opt/so/saltstack/local/pillar/minions/sensor-new_sensor.sls AND sensor-old.sls.
When I changed the view of the new file to the view of the old one, everything worked correctly and the EXTERNAL_NET parameter in suricata.yaml of the new sensor is now displayed correctly

sensor-old:

suricata:
config:
af-packet:
threads: "14"
vars:
address-groups:
DC_SERVERS:
- 192.168.200.191
- 192.168.200.192
DNS_SERVERS:
- 192.168.200.191
- 192.168.200.192
EXTERNAL_NET:
- '!$HOME_NET'
HOME_NET:
- 192.168.0.0/16
- 10.87.0.0/16
- 10.85.0.0/16
- 10.88.0.0/16
- 10.90.132.0/24

sensor-new:

(not working conf)
suricata:
config:
af-packet:
threads: "6"
vars:
address-groups:
EXTERNAL_NET: '!$HOME_NET'
HOME_NET:
- 192.168.0.0/16
- 10.87.0.0/16
- 10.85.0.0/16
(working conf)
suricata:
config:
af-packet:
threads: "6"
vars:
address-groups:
EXTERNAL_NET:
- '!$HOME_NET'
HOME_NET:
- 192.168.0.0/16
- 10.87.0.0/16
- 10.85.0.0/16

And this problem on all new added sensors when I try to chang EXTERNAL_NET via vars in web configuration

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

What is the output of sudo salt-call pillar.get suricata on your manager node?

[tuamortemo]

[root@manager-so adminso]# sudo salt-call pillar.get suricata
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/grains'
[INFO ] Syncing grains for environment 'base'
[INFO ] Loading cache from salt://_grains, for base
[INFO ] Caching directory '_grains/' for environment 'base'
local:
[root@manager-so adminso]#

[cm-ops]

This change coming in 2.4.90 should fix that issue. #13340

EXTERNAL_NET: '!$HOME_NET' that configuration should be:

EXTERNAL_NET:
  - '!$HOME_NET'