Project

General

Profile

Actions

Bug #3371

open

'suricatasc -c conf-get ...' returns outdated values after reloading suricata

Added by Timo Sigurdsson almost 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I have noticed that the conf-get command in suricatasc returns outdated values for configuration settings or variables after reloading Suricata, even though Suricata uses new values.

Initially, I wanted to use the conf-get command in order to verify that a rule-reload via suricatasc or a USR2 signal would suffice to reread/update the HOME_NET variable after the Suricata configuration was changed. suricatasc would, however, still return the initial/old value of the HOME_NET variable after a reload.

Steps to reproduce:
1) Run:
suricatasc -c "conf-get vars.address-groups.HOME_NET"
to check the current value of $HOME_NET
2) Change the value of HOME_NET in suricata.yaml
3) Reload Suricata either via:
kill -USR2 $SURICATA_MAIN_PID
or:
suricatasc -c ruleset-reload-nonblocking
4) Wait for the reload to complete
5) Re-run:
suricatasc -c "conf-get vars.address-groups.HOME_NET"

Result: Suricata reports the same value as in step 1, not the new value set in step 2.

I also tested this with other configuration settings in suricata.yaml and always got the initial value after changing it and reloading Suricata. This led me to believe that a full restart of Suricata is necessary in order to use the updated configuration. This is not the case, however, as my second experiment has shown.

Steps taken to verify that Suricata will in fact honor the changed HOME_NET variable after a reload:
1) Insert the follwing test rules:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "TEST RULE: ICMP packet from HOME_NET to EXTERNAL_NET detected"; classtype:not-suspicious; priority:4; sid:8888; rev:1;)
alert icmp any any -> $EXTERNAL_NET any (msg: "TEST RULE: ICMP packet from any to EXTERNAL_NET detected"; classtype:not-suspicious; priority:4; sid:8889; rev:1;)
2) Start Suricata with the HOME_NET variable defined correctly (according to your network setup)
3) Ping an external host from an internal host
4) Check the Suricata logs

Result: Both rules are triggered

4) Replace the IP addresses in HOME_NET with bogus values (that are not used in your internal network)
5) Reload Suricata via 'suricatasc -c ruleset-reload-nonblocking' and wait for the reload to complete
6) Ping an external host from an internal host again
4) Check the Suricata logs again

Result: Only the second test rule is triggered

Conclusion: This shows that Suricata is actually using the new value of the HOME_NET variable, while suricatasc will still report the original value.

Additional info:
My Suricata version is 4.1.2 (from the Debian 10 Buster repository).

More background on my tests can be found in this mailing list thread:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2019-November/017258.html

Cheers,

Timo

Actions #1

Updated by Andreas Herz almost 3 years ago

  • Assignee changed from Andreas Herz to OISF Dev
  • Target version set to TBD
Actions

Also available in: Atom PDF