Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes

    Scheduled Pinned Locked Moved IDS/IPS
    45 Posts 8 Posters 13.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lawrencesystemsL
      lawrencesystems
      last edited by

      Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @darcey
        last edited by bmeeks

        @darcey said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

        @bmeeks Will 6.0.10 be made available for pfSenseCE 2.6?
        I believe the changes that might help with this were introduced in suricata 6.0.8.

        Yes, later versions of Suricata have addressed the high idle CPU usage by reverting an earlier change in the flow manager code.

        As for getting a newer version of Suricata in pfSense 2.6.0, I will have to investigate to see what's feasible. Depends to some degree on what, if any, shared dependency library minimum version numbers might have changed in Suricata.

        I would love to get Suricata updated in the 2.6 CE branch, but backporting the GUI code is a large task as the change in PHP from 7.4 in pfSense 2.6 to 8.1 in pfSense 2.7 CE and 23.01 Plus resulted in wholesale rewriting of large chunks of code. And those rewrites are not directly compatible with PHP 7.4.

        If 2.7 CE rapidly advances through testing from the current BETA phase to RELEASE, then updating Suricata will be a non-issue as the package is current in the 2.7 snapshots. But if 2.7 CE development gets significantly delayed on the way from BETA to RELEASE, then updating of some packages in 2.6 CE may need revisiting. There is a possible solution to the PHP problem by creating a specialized compatibility module of functions to accomplish in 7.4 what is happening in 8.1.

        D 1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks @lawrencesystems
          last edited by

          @lawrencesystems said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

          Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.

          Yes, there are certainly instances where running Suricata or Snort on the WAN may make sense for a particular network configuration. But this is more likely to be the case for pfSense used in a business network as opposed to a home network.

          I would venture it to be very rare to need a Suricata or Snort instance running on the WAN in the typical home network. I won't say "never", but I would say "very rare" 😁.

          1 Reply Last reply Reply Quote 1
          • D
            darcey @bmeeks
            last edited by

            @bmeeks Thanks. That would seem not worth it then. Looking forward to CE 2.7...

            1 Reply Last reply Reply Quote 0
            • J
              j.koopmann
              last edited by j.koopmann

              Hi @bmeeks ,

              I am afraid the Pass List improvements broke things here. I am using legacy mode. I have long had the trouble that /24 networks did not work in the pass list so on top of the /24 I put specific /32 IPs in the pass list for important machines.

              While conducting tests I can reproducibly block my laptop even though it is part of the /24 network and the pass list has this specific IP in it as well. At least the latter worked up until this upgrade.

              The correct pass list is enabled in the settings. And via "View" I can confirm that both the home network /24 and my laptops /32 is in it.

              Running 23.01.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @j.koopmann
                last edited by

                @j-koopmann:
                Will you please share that Pass List? I would like to reproduce the conditions in my test virtual environment as best I can.

                I have never been able, for some reason, to reproduce this issue of Pass List entries not working. They always work in my testing 🤔.

                N 1 Reply Last reply Reply Quote 0
                • N
                  NRgia @bmeeks
                  last edited by

                  @bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @NRgia
                    last edited by

                    @nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

                    @bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?

                    Yes, you can retest if you want to. Be sure you have an easy recovery ready in the event the patch was not successful. I was not able to reproduce the actual duplication, so I had to theorize a potential cause and craft a fix from that angle. So, I cannot say with 100% certainty I fixed it because I could not reproduce the failure and then verify my "fix" prevented the failure.

                    I am working on fixing the PHP error mentioned in a different thread, so I will be submitting another package update soon. It would be nice to know if my interface duplication fix worked, so if you test, post back here. If the fix is not successful, I can revisit my theory.

                    N G 2 Replies Last reply Reply Quote 0
                    • N
                      NRgia @bmeeks
                      last edited by

                      @bmeeks
                      Issue with the doubled interfaces is fixed.
                      I performed 2 tests:

                      1. Upgrade in place from 6.0.10_1 to 6.0.10_3
                      2. I've removed 6.0.10_1 and installed 6.0.10_3

                      In both cases I found no issues.
                      Thank you for the fix.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @NRgia
                        last edited by

                        @nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

                        @bmeeks
                        Issue with the doubled interfaces is fixed.
                        I performed 2 tests:

                        1. Upgrade in place from 6.0.10_1 to 6.0.10_3
                        2. I've removed 6.0.10_1 and installed 6.0.10_3

                        In both cases I found no issues.
                        Thank you for the fix.

                        Thank you for testing! Glad to know that serious bug is fixed.

                        1 Reply Last reply Reply Quote 1
                        • G
                          greenflash @bmeeks
                          last edited by

                          @bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
                          Thanks a lot for your work!

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @greenflash
                            last edited by

                            @greenflash said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

                            @bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
                            Thanks a lot for your work!

                            Glad you are all set. Thank you for the feedback.

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.