/etc/suricata/disable.conf and checksum

Hello all,

Im a bit new here and am trying to configure Suricata for an OpenBSD environment.
My base build:

  • OpenBSD 6.6
  • Suricata 4.1.5 (pkg thats currently the newest on 6.6 pkg library)

Suricata is great and its working as intended but i have a little problem regarding the file:
/etc/suricata/disable.conf
I created this file as its mentioned in:
https://suricata.readthedocs.io/en/latest/rule-management/suricata-update.html (7.1.3)
The file was not present so i created it by hand and added 2 rows as the instructions said:
1:2200074 # SURICATA TCPv4 invalid checksum
1:2200075 # SURICATA UDPv4 invalid checksum
So normally it would disable these 2 rules and would not get logged.

My problem is that the fast.log is full of these checksum problems and the file gets bloated real quick:
[] [1:2200074:2] SURICATA TCPv4 invalid checksum [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
TCP/UDP checksum problems.

I thought that if I add this to disable.conf it would disable the alerts about these rules into the log file. Sadly its not working.
If i # the rules in decoderevents.rules its working, but i wanted to do this in a separate file as it was written in the doc above with the disable.conf.

Am I missing something or is disable.conf not working at all or did I write something that is not ok in the file? I did as the doc suggested update/restart and it wrote it loaded the disable.conf:
– Loading /etc/suricata/disable.conf.
with no error, so it should be fine?

I use the default conf and yaml files so there is nothing i changed from default in this scenario.
Can someone please tell me how to format the disable.conf or how to rename etc. so that it would be working as i think it would be working:) Or would please explain to me how exactly is it working properly. (Preferably with a sample file structure/commands)

Thank you very much in advance for your help and advice.
AndSimp

The problem is likely related to checksum offloads. I don’t know how to disable them on OpenBSD though.

Can you tell us what the rule-files section of your suricata.yaml looks like? It looks like its loading the rule files directly, if it works when you comment it out. So Suricata might not be loading the output of suricata-update, which is most likely in /var/lib/suricata/rules.

Hi Jason and Victor thank you for the fast reply,

@Vikror: Thank you but i don’t want to disable anything in OpenBSD or change the default kernel or settings if possible.:slight_smile:

@Jason: Of course. Here is the appropriate part from the yaml:

default-rule-path: /etc/suricata/rules
rule-files:

  • app-layer-events.rules
  • decoder-events.rules
    #- dnp3-events.rules
  • dns-events.rules
  • files.rules
  • http-events.rules
    #- modbus-events.rules
    #- nfs-events.rules
    #- ntp-events.rules
  • smtp-events.rules
  • stream-events.rules
  • tls-events.rules

I start suricata with:
/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i
(if i dont write the rules file in here it runs but without rules:))
So it should load the rules file from there, so it should be fine…?
Line of update that writes file:
Writing rules to /var/suricata/rules/suricata.rules: total: 26840; enabled: 20106; added: 0; removed 0; modified: 0
So this should be ok…?
As I said i left everything at default in all files, i just set the interface to the interface i use.
The file structure is a little bit different in OpenBSD:)

Suricata works properly if i comment out the 2 rules but what i really would have wanted, is to make disable.conf work.:slight_smile: OR maybe there is a setting that disables checksum checks? I found a few instances but as far as i can tell none of them disable this alert.

Is there some setting that calls the disable file from the yaml that needs to be enabled maybe? I did not find it sadly:) Sorry Im a total newbie on this part:)

If you plan to use suricata-update to update your rules, disable rules, etc. then this section should probably look like:

default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules

With that you have, and using -s you are looking the rules from Suricata-Update, as well as each rule file listed in your suricata.yaml, which is probably not what you want. Or you could use -S /var/suricata/rules/suricata.rules to only load that file (-s just adds the file as an additional rule file).

@ish
Well, so if we use both rules that’s ok for me no problem.
So the main gist of it is that if I rewrite the yaml file to only include suricata.rules, then only those rules would be used, and the other rules that are in the /etc/suricata/rules would be disregarded.

Would you be so kind to confirm something for me:
Is the updated suricata.rules (with suricata-update) contain the data that are in the rules in /etc/suricata/rules? So I loaded some of the the same rules twice? (not that’s that a problem if that’s not a problem? Or does this prevent disable.conf from running as intended because there are 2 rule sets and suricata only disables the one in the update???)

So if i do it the way you described it, should disable.conf work, and disable the rules i write in it?

Thank you again for all your help:)
AndSimp

This is largely going to depend on how Suricata was installed. If installed from a release tarball, it is installed with the expectation that suricata-update is used. This should result in a suricata.yaml rule section of something small like:

default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules

as it expects the rules to be managed by suricata-update. As of 4.1, Suricata will no longer install rules into /etc/suricata/rules. Instead they will be installed somewhere like /usr/share/suricata/rules. Suricata-Update will pull in these rules from /usr/share/suricata/rules, and merge them with whatever rules it downloads, apply disable.conf, etc and then write them out to /var/lib/suricata/rules/suricata.rules.

Your install looks a little mixed. But you should try suricata-update -v, it will tell you exactly what files its pulling in. You could configure suricata-update to pull in those rule files from /etc/suricata/rules, and have them in the suricata-update output. Then you’d just have Suricata pull in the one rule file from /var.

Hope that helps.

1 Like

Sorry for the late reply.
So the late solution for me was that the yaml file host-os-policy: was on windows and this was a bsd, i changed the ip there to the bsd and the alerts were mostly gone. (Done this today not 100% sure this works)
But what i did previously was that in the rules i commented out the 2 rules i had for this and that did the same thing. :slight_smile:
Again thank you Jason for the help:)