AWS Cluster with Suricata not running anywhere except for sensors so how do I update global.sls? #9473
-
|
I am running a cluster on AWS with a master, two search and three sensors. All is well until I tried add thresholding to rules to block certain alerts from triggering. It's failing when I restart suricata with so-suricata-restart because suricata is not running on the master. In fact, it's only running on the sensors. What can I do to remedy this? I confirmed that there is nothing in /opt/so/log/suricata so it looks like it never ran... |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
For more context, I followed the default configurations for all node types. So it doesn't appear that suricata is running by default on anything except for the sensors. And it is working there because I am seeing alerts. But what isn't working is blocking the alerts. I don't know what did it (so-rules-updates or salt '*'...) but I can see the threshold on the sensors at /opt/so/conf/suricata/threshold.conf but I am still seeing the rule being triggered. And I tried so-suricata-restart on each of the sensors. Here is what is in threshold.conf in the sensors now: How do I know that the gen_id is 1??? In the video that Doug Birks does on this, I think he says to assume it is 1 but I have no idea how to verify it. |
Beta Was this translation helpful? Give feedback.
-
|
sigh typo... |
Beta Was this translation helpful? Give feedback.
sigh typo...
once I got the rule right and did this it worked...
salt '*' state.highstate