Skip to main content
Skip table of contents

KB - Migrating Suricata IDS to persistent configuration

On the SIEMonster Hydra log aggregator there is a service named Suricata that performs intrusion detection on the network layer. In some cases it may be preferred to deviate from an out of the box configuration to a persistent configuration that allows for disabling rules and/or modifying other configuration items for the solution. To do so the configuration files need to be mapped to persistent storage. This can be done by performing the following steps in sequence.

BASH
#Preparing folder structure for persistent data
mkdir -p /data/suricata/config
mkdir -p /data/suricata/update

#Copying the relevant files
docker cp suricata:/etc/suricata/. /data/suricata/config/

After the copy is done, please check to see if your file system looks like this

image-20250722-114218.png

The next step is to modify the Systemd Unit files so that the correct paths are mapped as volumes. The follow two line items need to be added

BASH
    -v "/data/suricata/config/:/etc/suricata" \
    -v "/data/suricata/update/cache:/var/lib/suricata/update/cache" \

To make the change perform the following steps:

  1. Type vim /etc/systemd/system/suricata.service and Press [ENTER]

  2. Next Type :set mouse= and Press [ENTER]
    🔖 The above is to disabled visual mode in vim

  3. Next Press i or [INSERT]

  4. Move to the end of the line that matches the sample below and Press [ENTER]
    “-v "/data/suricata/config/:/etc/suricata" \ -v "/data/suricata/update/cache:/var/lib/suricata/update/cache" \”

  5. Copy the two lines from the above code sample and Paste it into the file. It should look like below when you have done it correctly.

    image-20250722-115007.png
  6. Press [ESC] and then Type :wq and Press [ENTER]

  7. Now Run the following commands in sequence
    (warning) Please wait for a few seconds between commands to ensure the previous command has completed.

    BASH
    systemctl daemon-reload
    systemctl restart suricata
    docker exec -it suricata suricata-update update-sources
    docker exec -it suricata suricata-update

Your Suricata instance should now have a persistent configuration so you can make changes to it that will persist through reboots.

(warning) IMPORTANT: The suricata.yaml configuration file is yaml, it is extremely sensitive to tabs. Adding a tab anywhere in the configuration file will break the configuration and prevent the system from starting. It is extremely important to make backups of the file before you make changes so that any changes made can be rolled back.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.