Suricata Update Plans

bmeeks

The Suricata team recently released version 6.0.5. Details about this latest release can be found here.

I plan to update Suricata on pfSense in the near future. Currently we are running the 6.0.4 version compiled with the multiple host rings netmap code from version 7.0. I want to wait a few days, or perhaps even a couple of weeks, to see how things look in the new 6.0.5 release. If no major issues are reported upstream, then I will update the binary portion of the pfSense Suricata package to 6.0.5.

Just wanted to post this info to let Suricata users know I am aware of the recent release of 6.0.5, and I plan to update the pfSense package soon. Just don't want to immediately jump out there yet having gotten burned with the initial 6.0 release that had the FreeBSD flow manager bug.

Cool_Corona

Pls. make sure the package is available to 2.5.2 users a like.

We dont see any updates on the packages at all.

And 2.6 is nowhere production ready yet....

Youre doing a great job Bill. We are very grateful for that.

bmeeks

@cool_corona said in Suricata Update Plans:

Pls. make sure the package is available to 2.5.2 users a like.

We dont see any updates on the packages at all.

And 2.6 is nowhere production ready yet....

Youre doing a great job Bill. We are very grateful for that.

There will be no 2.5.2 update. No pfSense packages get updated for past pfSense versions. That's just not the way the pkg system is plumbed up nor are the pfSense package builders configured to support multiple versions. Packages are created for the current version of pfSense only. So when pfSense itself updates to a new version, packages for the previous version are frozen.

Cool_Corona

@bmeeks So either we fuck our production environments for beeing able to receive package updates....

Or stay on a stable version and lack updates.

Thats not a healthy product cycle....

slu

@cool_corona said in Suricata Update Plans:

@bmeeks So either we fuck our production environments for beeing able to receive package updates....

If this is so important to you, buy a TAC and contact Netgate:
https://www.netgate.com/support

bmeeks

@cool_corona said in Suricata Update Plans:

@bmeeks So either we fuck our production environments for beeing able to receive package updates....

Or stay on a stable version and lack updates.

Thats not a healthy product cycle....

Well, that is not your only option. You can go pay Palo Alto or Check Point several thousands of dollars annually for support. But even there, you eventually have to update their software.

You would do well to remember how much you are paying for pfSense and its packages ... .

Later Update: this reply is not meant to slap you down, but is instead just a gentle chiding reminding you and others reading this thread in the future that free, open-source software is not always perfect. But it is very good, and amazingly good when you factor in the cost (zero dollars).

I know particular issues can sometimes be frustrating when your system is impacted. But the majority of pfSense users are not experiencing problems. And there is just no practical way to test for every conceivable variation of hardware and system configuration that exists out there in the pfSense user base.

It's not the same with a lot of the for-profit security platforms out there. They frequently lock you into very specific hardware. That curtails the universe of possible configurations they have to test against and support.

As for new package versions for older pfSense versions, that is a very difficult nut to crack. It would require extra work on the part of the package developers, and it would require Netgate to keep a lot of extra builder hardware capacity in place. And many times new binary versions in packages require newer shared libraries. But those newer shared libraries would break older pfSense versions. So you have a deadlock there potentially. Non-programmers frequently don't realize the impact and limitations shared libraries generate. Hardly any piece of software is 100% standalone and self-contained. The majority of software today makes calls to several shared system libraries to do various things. And these shared libraries themselves are updated from time to time, and that's where incompatibility comes into play with older pfSense versions.

SteveITS

@bmeeks said in Suricata Update Plans:

So when pfSense itself updates to a new version, packages for the previous version are frozen.

I'm mostly speaking to anyone else who happens to read this thread, but it's a bit worse than that sounds. The package manager will show packages for the selected update branch, so if the router is set to Current but is still on 2.5.2 it will let you install packages for 2.6 which potentially can upgrade core components that are marked as dependencies. One must select the Previous Stable Version branch to see older packages, which will work until the next major version is released and Previous is not old enough. Unfortunately the package pages don't show what version is selected. https://redmine.pfsense.org/issues/10464

Speaking of open source and package developers, thank you for your time on Suricata/Snort.

bmeeks

@steveits said in Suricata Update Plans:

@bmeeks said in Suricata Update Plans:

So when pfSense itself updates to a new version, packages for the previous version are frozen.

I'm mostly speaking to anyone else who happens to read this thread, but it's a bit worse than that sounds. The package manager will show packages for the selected update branch, so if the router is set to Current but is still on 2.5.2 it will let you install packages for 2.6 which potentially can upgrade core components that are marked as dependencies. One must select the Previous Stable Version branch to see older packages, which will work until the next major version is released and Previous is not old enough. Unfortunately the package pages don't show what version is selected. https://redmine.pfsense.org/issues/10464

Speaking of open source and package developers, thank you for your time on Suricata/Snort.

Yes, I agree the situation there could likely work better. Right now it is incredibly easy to shoot your foot off with package updates when the underlying pfSense version has a new update available as well. But my little bit of interaction with the pkg utility leads me to think there is no 100% painless and easy fix.

SteveITS

@bmeeks said in Suricata Update Plans:

there is no 100% painless and easy fix

I gather, but I just like to publicize it. Maybe they could post the installed pfSense and package repo version on the package page with a red note if they differ.

michmoor

@slu this has always ALWAYS been my thinking and I'm glad you wrote it down. People complain ALOT about the product and some of the complaints are indeed valid, no question. But for people who are using it for free and in critical areas, why aren't they paying for support? TAC support compared to my Juniper contract that I just did a BOM for is so much cheaper than getting 24/7 support from Cisco or Juniper.. The price for an SRX with a redundant power supply is 3x more than the cost of a NetGate support contract for a year...Perspective......
The equation is very simple. If pfsense is good enough for your environment and plays a critical piece in it then you would be wise to get support. If you want to play cowboy and get the free support (forums and reddit) then that's your choice but why deflect and blame the company? You failed as the engineer or support staff or decision maker when choosing to put unsupported hardware in an environment that is mission-critical or at the least revenue-generating.
I get advice on Reddit around some troubleshooting issues but I would never ever go there if I'm facing a down event and need someone experienced on the phone. Who would do this? Yet.........

update: @bmeeks Thank you for all you do and the support you have given the community. Safe to say that all the devs who have given their time and blood to the pfsense project made it arguably one of the best open-source projects today.

NRgia

@bmeeks said in Suricata Update Plans:

The Suricata team recently released version 6.0.5. Details about this latest release can be found here.

I plan to update Suricata on pfSense in the near future. Currently we are running the 6.0.4 version compiled with the multiple host rings netmap code from version 7.0. I want to wait a few days, or perhaps even a couple of weeks, to see how things look in the new 6.0.5 release. If no major issues are reported upstream, then I will update the binary portion of the pfSense Suricata package to 6.0.5.

Just wanted to post this info to let Suricata users know I am aware of the recent release of 6.0.5, and I plan to update the pfSense package soon. Just don't want to immediately jump out there yet having gotten burned with the initial 6.0 release that had the FreeBSD flow manager bug.

Please take your time, better safe than sorry.