[Oisf-users] Reloading configuration not possible without restarting Suricata?

Timo Sigurdsson public_timo.s at silentcreek.de
Tue Nov 26 15:55:04 UTC 2019 

Hi Andreas,

Andreas Herz schrieb am 23.11.2019 23:35 (GMT +01:00):
> On 11/11/19 at 02:01, Timo Sigurdsson wrote:
>> 2) Change the value of HOME_NET in suricata.yaml
>> 3) Reload Suricata either via:
>> kill -USR2 $SURICATA_MAIN_PID
> 
> I am the one from the redmine issue you posted and I used this exact way
> to do this in the paste. I also had the dynamic IP set in a different
> yaml file which was included by the main one. But I never used the
> suricatasc to confirm/change it though had no issues with it not
> working.
> 
> Can you check if it's just a logging issue or can you confirm that rules
> don't hit anymore due to the old HOME_NET settings?
Ok, so, I added two simple test rules to check if the HOME_NET variable is updated after a rule reload.
You were right, the new IP addresses are in fact used after a reload. It is only suricatasc which still reports the original values.

The two test rules I added, are these:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "TEST RULE: ICMP packet from HOME_NET to EXTERNAL_NET detected"; classtype:not-suspicious; priority:4; sid:8888; rev:1;)
alert icmp any any -> $EXTERNAL_NET any (msg: "TEST RULE: ICMP packet from any to EXTERNAL_NET detected"; classtype:not-suspicious; priority:4; sid:8889; rev:1;)

I tested this in two ways. I started Suricata with all IP addresses defined correctly in HOME_NET. I pinged an external host from an internal client and both rules triggered. Then I replaced the IP addresses in HOME_NET (and the values in my includes) with bogus values, reloaded suricata with via 'suricatasc -c ruleset-reload-nonblocking'. After the reload completed, I redid the ping tests, but now only the second rule fired. So, HOME_NET was indeed updated. I also tested it the other way around, starting Suricata with bogus addresses in HOME_NET, then changing the configuration followed by a reload of Suricata. After the reload, both rules trigger again, so HOME_NET was updated. I did this for IPv4 and IPv6 and all worked. In all cases, though, suricatasc still reports the original values of the configuration variables, bot the updated values that are actually matched after the reload. 

Long story short, it seems suricata behaves as expected, but I would consider it a bug in suricatasc that configuration changes are not reflected in the output of 'suricatasc -c "conf-get <CONFIGURATION_ITEM>"' after a reload of suricata.


Thanks and regards,

Timo

More information about the Oisf-users mailing list