Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes

lawrencesystems

Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.

bmeeks

@darcey said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

@bmeeks Will 6.0.10 be made available for pfSenseCE 2.6?
I believe the changes that might help with this were introduced in suricata 6.0.8.

Yes, later versions of Suricata have addressed the high idle CPU usage by reverting an earlier change in the flow manager code.

As for getting a newer version of Suricata in pfSense 2.6.0, I will have to investigate to see what's feasible. Depends to some degree on what, if any, shared dependency library minimum version numbers might have changed in Suricata.

I would love to get Suricata updated in the 2.6 CE branch, but backporting the GUI code is a large task as the change in PHP from 7.4 in pfSense 2.6 to 8.1 in pfSense 2.7 CE and 23.01 Plus resulted in wholesale rewriting of large chunks of code. And those rewrites are not directly compatible with PHP 7.4.

If 2.7 CE rapidly advances through testing from the current BETA phase to RELEASE, then updating Suricata will be a non-issue as the package is current in the 2.7 snapshots. But if 2.7 CE development gets significantly delayed on the way from BETA to RELEASE, then updating of some packages in 2.6 CE may need revisiting. There is a possible solution to the PHP problem by creating a specialized compatibility module of functions to accomplish in 7.4 what is happening in 8.1.

bmeeks

@lawrencesystems said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.

Yes, there are certainly instances where running Suricata or Snort on the WAN may make sense for a particular network configuration. But this is more likely to be the case for pfSense used in a business network as opposed to a home network.

I would venture it to be very rare to need a Suricata or Snort instance running on the WAN in the typical home network. I won't say "never", but I would say "very rare" .

darcey

@bmeeks Thanks. That would seem not worth it then. Looking forward to CE 2.7...

j.koopmann

Hi @bmeeks ,

I am afraid the Pass List improvements broke things here. I am using legacy mode. I have long had the trouble that /24 networks did not work in the pass list so on top of the /24 I put specific /32 IPs in the pass list for important machines.

While conducting tests I can reproducibly block my laptop even though it is part of the /24 network and the pass list has this specific IP in it as well. At least the latter worked up until this upgrade.

The correct pass list is enabled in the settings. And via "View" I can confirm that both the home network /24 and my laptops /32 is in it.

Running 23.01.

bmeeks

@j-koopmann:
Will you please share that Pass List? I would like to reproduce the conditions in my test virtual environment as best I can.

I have never been able, for some reason, to reproduce this issue of Pass List entries not working. They always work in my testing .

NRgia

@bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?

bmeeks

@nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

@bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?

Yes, you can retest if you want to. Be sure you have an easy recovery ready in the event the patch was not successful. I was not able to reproduce the actual duplication, so I had to theorize a potential cause and craft a fix from that angle. So, I cannot say with 100% certainty I fixed it because I could not reproduce the failure and then verify my "fix" prevented the failure.

I am working on fixing the PHP error mentioned in a different thread, so I will be submitting another package update soon. It would be nice to know if my interface duplication fix worked, so if you test, post back here. If the fix is not successful, I can revisit my theory.

NRgia

@bmeeks
Issue with the doubled interfaces is fixed.
I performed 2 tests:

1. Upgrade in place from 6.0.10_1 to 6.0.10_3
2. I've removed 6.0.10_1 and installed 6.0.10_3

In both cases I found no issues.
Thank you for the fix.

bmeeks

@nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

@bmeeks
Issue with the doubled interfaces is fixed.
I performed 2 tests:

1. Upgrade in place from 6.0.10_1 to 6.0.10_3
2. I've removed 6.0.10_1 and installed 6.0.10_3

In both cases I found no issues.
Thank you for the fix.

Thank you for testing! Glad to know that serious bug is fixed.

greenflash

@bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
Thanks a lot for your work!

bmeeks

@greenflash said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:

@bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
Thanks a lot for your work!

Glad you are all set. Thank you for the feedback.