Export Suricata Rule Tuning Configuration?

[jollysig]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

256gb

Storage for /

300gb

Storage for /nsm

2tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After 5 faithful years of 24/7 service, our hard drives in our distributed cluster are starting to fail. The good news is that we budgeted to purchase new drives and have acquired a handful of newer servers. The plan is to rip out the old servers and green field another cluster.

We have documented all our changes over the years, but one thing has drawn a slight blank. What is the most efficient way to export and import our Suricata rule tuning in version 2.4.190? I've searched the documentation and community support and didn't see that covered anywhere.

Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Some of your tuning will be backed up in /nsm/backup/so-config-backup-<date>.tar That will be pillar and salt data in the local path, for example, your idstools pillar.

If you have custom detections and overrides, you will see them in /nsm/backup/detections/repo

[jollysig]

Thanks, that pointed me in the right direction.

So I need to grab a backup:

https://docs.securityonion.net/en/2.4/backup.html

Then I need to restore it on my new Manager:

#14040 (comment)

I'm posting the links here incase someone else needs this info. The backup contains a copy of Suricatta thresholds / suppressions. It's located at /opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml incase you just need that specific file.