"Tuning Security Onion with Suricata Variables" #13389

lec668 · 2024-07-25T14:36:01Z

lec668
Jul 25, 2024

Version

2.4.80

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

24

Storage for /

300

Storage for /nsm

300

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
I followed the youtube tutorial "Tuning Security Onion with Suricata Variables"
from Mathew Gracie on a fresh standalone ISO install.

Trouble is, when I modify the file /opt/so/saltstack/local/pillar/global/soc_global.sls
to include a variable with a few IP addresses,
it is not correctly imported in /opt/so/conf/suricata/suricata.yaml after a suricata restart.

I tried a few other syntaxes to no avail

suricata:
config:
vars:
address-groups:
MERCUSYS: '[192.168.1.11, 192.168.1.118, 192.128.1.119]'

sudo grep MERCUSYS /opt/so/conf/suricata/suricata.yaml
MERCUSYS: '['

Thanks a lot

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

dougburks · 2024-07-26T10:38:14Z

dougburks
Jul 26, 2024
Maintainer

That video is from July 13, 2022 (over 2 years ago) and used an older version of Security Onion 2.3. Security Onion 2.4 no longer requires you to edit config files. Configuration should be done via the SOC Configuration screen. For more information, please see our Suricata configuration documentation:
https://docs.securityonion.net/en/2.4/suricata.html#configuration

0 replies

InfosecGoon · 2024-08-06T12:48:09Z

InfosecGoon
Aug 6, 2024

You should be able to create a new variable through the Configuration interface.

Go to Administration --> Configuration, open the options menu at the top of the screen, and select "Show all configurable settings". In the left-hand pane, go to suricata --> config --> vars --> address-groups. Select one of the address group variables, click the Duplicate button on the right, enter the name of the new variable that you want. This should create a new list object on the left that you can put those IPs in.

0 replies

lec668 · 2024-08-06T14:57:27Z

lec668
Aug 6, 2024
Author

Hi,
Thanks, I just tested it, works fine with variables.

Great tool by the way

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

"Tuning Security Onion with Suricata Variables" #13389

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

"Tuning Security Onion with Suricata Variables" #13389

Uh oh!

lec668 Jul 25, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 3 comments

Uh oh!

dougburks Jul 26, 2024 Maintainer

Uh oh!

InfosecGoon Aug 6, 2024

Uh oh!

lec668 Aug 6, 2024 Author

lec668
Jul 25, 2024

dougburks
Jul 26, 2024
Maintainer

InfosecGoon
Aug 6, 2024

lec668
Aug 6, 2024
Author