24.7.3: New Suricata.yaml faulty - wrong indentation

[asche77]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

With 24.7.3, a new Suricata.yaml was included. This seems to be slightly faulty:

root@OPNsense:~ # /usr/local/etc/rc.d/suricata start
Starting suricata.
Error: conf-yaml-loader: Failed to parse configuration file at line 348: did not find expected key
/usr/local/etc/rc.d/suricata: WARNING: failed to start suricata

To Reproduce

Steps to reproduce the behavior:

1. Update to 24.7.3
2. Try to start Suricata.
3. See error (Full error message only visible on console)

Expected behavior

Suricata starting up fine:

root@OPNsense:~ # /usr/local/etc/rc.d/suricata start
Starting suricata.
Info: conf-yaml-loader: Including configuration file installed_rules.yaml.
Info: conf-yaml-loader: Configuration node 'rule-files' redefined.
Info: conf-yaml-loader: Including configuration file custom.yaml.

Describe alternatives you considered

N/A

Solution

Indentation in /usr/local/etc/suricata/suricata.yaml is wrong at lines 348 et seq:

      types:
        - alert:
             payload: no
             payload-buffer-size: 4kb
             payload-printable: yes
            metadata: yes
            tagged-packets: yes

must be corrected as follows (delete 1 space in front of each "payload"):

      types:
        - alert:
            payload: no
            payload-buffer-size: 4kb
            payload-printable: yes
            metadata: yes
            tagged-packets: yes

[fichtner]

Thanks for the report. It has been hotfixed.