So it does work. 😊

Capturexx.PNG

@bmeeks It looks like they might have put this into v7.

https://forum.suricata.io/t/how-to-log-alert-into-a-pcap/2127/4

@TAC57 said in 2.6.0 --> 2.7.0 Upgrade Crash Report:

Something must be screwed up because if I reboot a number of packages don't automatically start,

Yes, this would be a red flag that your upgrade did not complete properly.

@SteveITS Thank you very much. I heard that even current antivirus software can be bypassed by creating viruses that can evade detection through pre-testing by attackers. However, if they are using AI for checking, it might be possible to detect them. I would like to consider using it.

@bmeeks I believe I know why suricata would crash when geolite2 was updated and I believe suricata was using lots of data and holding ip address's well over 5000 them in snort2c tables, that, coupled with using too large a RAM Disk for /var & /tmp, I was simply out of ram. I have changed the ram disk size and adjusted suricata to NOT keep ip's longer than 7 days and this helped as I've had no more 6am suricata crash nor core dumps have occurred.

I really appreciate all of you guys help here on the forum :) Thank you again!

@InstanceExtension Greetings - and apologies all for the disruption this caused last week. As identified within this thread, two rules (SIDs 2046273 and 2046274) were released to the live ruleset with syntax errors. The rules had the "flow: stateless" option set with "to_server" also set which causes a Fatal Error within Snort. Upon investigation it was found that due to a text parsing issue in our QA infrastructure these errors were missed and the rules were released into production.

Going forward, we have made adjustments to our QA process to ensure this will not recur and errors of this sort will be caught within our QA process and mended. The next morning we released an out-of-band update to address.

Feel free to reach out here via DM, on twitter (@et_labs) or on our Discourse.

@EmergingThreats said in ET Rules or Snort Subscriber rule:

@DefenderLLC Greetings - unfortunately, there is currently no alternative pricing at that tier. I will let the sales team know of the interest, though.

Thanks for the reply. I would be gladly pay a modest fee for both licenses. Perhaps you can offer a home lab license kind of like what Netgate does for pfSense+ licenses for home users.

@johnnybee I have the same question.
Please share with me if you have the answer.
Thanks in advance.

@bmeeks was hoping there was some…trickery. But alas it’s reading the IP header so not much can be done

@bmeeks Thanks Bill.

The only way to accomplish that would be to rewrite all the rules and reverse the direction logic. That's a lot of work.

@bmeeks
Ah, that is right. I might have gotten confused with that field. It does work omitting the content section.
I appreciate your help!

@pfsjap said in Suricata inline mode with Netgate 6100:

Wasn't a driver issue after all. MTU of this interface was 9000 and netmap buffer size (dev.netmap.buf_size) was 2048 (default). After setting buffer size to 9100, Suricata started in inline mode.

Found this tunable in here.

Ah! Good detective work.

The error message certainly was not helpful in this instance. It could have said "out of memory" or "insufficent buffer size" you would think. This error comes from the netmap device code within FreeBSD and has nothing to do with Suricata's use of netmap. Not many folks are using MTU sizes larger than 1500, though.

@bmeeks Thank you, Mr. Meeks.

@Dobby_ Good idea. I do have two 8GB RP4B's just sitting around doing nothing. I was using those for Pi-hole before switching to pfBlockerNG.

@the-other I got pfblockerng installed... are there preloaded p2p blocklists or is this something I need to create myself?

@bmeeks I meant to update this thread before your response. Beat me to the punch.
My misunderstanding is really how to work with the GUI in regards to IPS/IDS. Some of the elements aren't exactly clear so it did require poking through several threads here to understand how the pieces work.