Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Package v7.0.3 - Available. Here are the Release Notes

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    4
    557
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Suricata-7.0.3

      An updated Suricata package is now available. This update adds two new features and fixes a number of bugs. The underlying Suricata binary is also updated to the latest 7.0.3 from upstream. Release Notes for the binary can be found here: https://forum.suricata.io/t/suricata-7-0-3-and-6-0-16-released/4468.

      Special Notice: MaxMind recently changed their API for authentication when downloading updates for the GeoIP2 database. If you use the GeoIP2 option in Suricata, then you must execute a few specific actions to restore the GeoIP2 database download and update process.

      If you have the GeoIP database download/update option enabled in Suricata, you will need to navigate to the GLOBAL SETTINGS tab after updating the package and perform these steps:

      1. Enter your MaxMind Account ID in the new field provided above the previous License Key field. Your Account ID is likely a numeric code. You can find your Account ID by logging into the MaxMind portal and choosing the Manage License Keys page. Your Account ID number will be shown at the top of the list of license keys.
      2. Leave your License Key as is unless you know for sure you have a new one. The new authentication API requires BOTH your Account ID and License Key be provided.
      3. Click Save to store your Account ID value.
      4. Return to the GLOBAL SETTINGS tab and toggle the GeoIP database option off, save it, then toggle it back on and save it again. This will force a new attempt to download the database in the background (it will have failed to download and update during the package update because of the recent MaxMind API change).
      5. Finally, if you have GeoIP rules in place, you will need to restart Suricata on the interface so that it sees the newly updated database.

      New Features:

      1. Exposed the formerly hidden passlist debugging option in the GUI on the INTERFACE SETTINGS tab. This option is only for troubleshooting suspected issues with a Pass List. When enabled, it will generate quite a lot of traffic to a dedicated passlist debug log in the Suricata logging directory for the interface. It will also have a performance impact when enabled. The new setting defaults to "not checked" which means not enabled. You would click to "check" the option if you wanted to enable it for a specific debugging task, then uncheck the option when debugging is complete.
      2. Because the use of certain NIC hardware-based features such as Checksum Offloading, Large Receive Offload (LRO), and TCP Segmentation Offload (TSO) has been shown to cause issues with Suricata, the user is now warned when any of those options are enabled for a physical interface where Suricata is running. The warning occurs when saving changes on the INTERFACE SETTINGS tab. A link is provided to the pfSense page where those options can be disabled in the dialog box at the top of the page.

      Bug Fixes:

      1. GeoIP2 database download/update procedure broken due to recent MaxMind API change. See Redmine Issue #15240.
      2. Add check to detect and ignore blank lines in alerts.log when populating the Suricata Dashboard Widget. Invalid lines in the log file would cause a PHP error. See Redmine Issue #15241.
      3. Examine all calls to write_config() to see when it is appropriate to set the "$backup" parameter to "false" to prevent unneccessary config.xml backups. See Redmine Issue #15242.
      4. Changed the logic on the BLOCKS tab so that only alerts from the currently active block.log file are correlated with active blocks. Formerly the code would also try to read all of the previously rotated block.log files resulting in PHP out-of-memory errors in some situations.
      R 1 Reply Last reply Reply Quote 5
      • S SteveITS referenced this topic on
      • R
        RobertK 1 @bmeeks
        last edited by

        Hardware Checksum Offloading is a default option on Netgate appliances. I believe it is also default on pfSense CE at least on hardware with Intel NICs. What were the problems that led to this warning message? Is it safe to ignore the warning if you have not experienced any problems before Suricata 7.0.3 on your hardware regarding checksum offloading?

        R S 2 Replies Last reply Reply Quote 0
        • R
          RobertK 1 @RobertK 1
          last edited by

          I'm strictly referring to "Hardware Checksum Offloading", not the other two.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @RobertK 1
            last edited by

            @RobertK-1 it’s not a new recommendation just a new warning.

            See:
            https://docs.suricata.io/en/suricata-7.0.2/performance/packet-capture.html

            β€œ11.2.3. Offloading

            Network cards, drivers and the kernel itself have various techniques to speed up packet handling. Generally these will all have to be disabled.

            LRO/GRO lead to merging various smaller packets into big 'super packets'. These will need to be disabled as they break the dsize keyword as well as TCP state tracking.

            Checksum offloading can be left enabled on AF_PACKET and PF_RING, but needs to be disabled on PCAP, NETMAP and others.”

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote πŸ‘ helpful posts!

            1 Reply Last reply Reply Quote 1
            • johnpozJ johnpoz referenced this topic on
            • First post
              Last post