There is a very useful command available to Suricata IDS/IPS/NSM :
The command above will dump all the config parameters and their respective values that are loaded by Suricata from the config file. You can run the command in any case - it does not matter if Suricata is running or not.
There is a peculiarity however. Sometimes people would think that the command(above) would dump the currently loaded config values by Suricata.... in some case it will and in some cases it will not.
So what does it depend on?.... simple:
will dump the config settings that are loaded (or will be loaded) by Suricata by default from
So if you are running Suricata with a config file called suricata-test.yaml (or suricata.yaml located in a different directory) - you will not see those settings...unless you specify that config file in particular:
suricata --dump-config -c /etc/suricata/suricata-test.yamlHere is a real case example.
I run Suricata for a specific test where I had specified the defrag memcap to be 512mb :
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
Suricata up and running:
root@LTS-64-1:~/Work # ps aux |grep suricata
root 8109 2.3 7.6 878444 308372 pts/6 Sl+ 12:45 1:02 suricata -c /etc/suricata/suricata-test.yaml --af-packet=eth0 -v
And the peculiarity that this blogpost is trying to emphasize on about :
root@LTS-64-1:~/Work # suricata --dump-config |grep defrag.memcap
defrag.memcap = 32mb
root@LTS-64-1:~/Work # suricata --dump-config -c /etc/suricata/suricata-test.yaml |grep defrag.memcap
defrag.memcap = 512mb
suricata --dump-config dumps the settings loaded(or to be loaded) from the default location /etc/suricata/suricata.yaml if you are running suricata with a yaml config with a different name than the default or with a different location that the default - in order to get those settings - you need to specify that particular yaml location, like so:
suricata --dump-config -c /etc/local/some_test_dir/suricata/suricata-test.yaml