Suricata on Pfsense

bmeeks

@SteveITS said in Suricata on Pfsense:

It's unclear from above who is maintaining the Suricata package now.

The package no longer has any active maintainer. The Netgate team did decide to address a couple of recent PHP GUI package CVEs themselves (that's the recent update to 7.0.8_3, I believe). I would not expect Netgate to takeover continuous maintenance of the package as it is not a core package of pfSense.

Best case is for another community member to step up and take over package maintenance.

P.S. -- I did send a detailed email a couple of weeks ago to the pfSense developer team letting them know of my retirement from package maintainer duties. They acknowledged receipt of the notice, so they are aware of the current package status (ditto for the Snort package, too).

NRgia

@SteveITS I understand, but let's speak from the user/client point of view. Why a client must raise tickets in a bugtracker like Redmine or Jira or whatever? A client expectation is that, if a package is available, to be updated or maintained.

If the package is not maintained it will become a security and performance issue with time.

I mean I understand, maybe, Netgate doesn't have resources, but then, they can remove it, instead of waiting for something to happen...

Just my 2 cents.

@bmeeks Your suggestion is preferred, but from I understood from you, nobody is interested or have the knowledge.
Again thank you, for updating this package over the years.

bmeeks

@NRgia said in Suricata on Pfsense:

Your suggestion is preferred, but from I understood from you, nobody is interested or have the knowledge.
Again thank you, for updating this package over the years.

I'm sure there is someone here on the forum using the package that has the knowledge to maintain it.

Another option if IDS/IPS is critical is to use the Linux package on a separate virtual machine or hardware appliance. Inline IPS performance would actually be very good using a Linux box (or even a FreeBSD box) with two separate NICs and configure true netmap hardware-to-hardware mode. That is many times more performant than the hardware-to-host mode that is required when using netmap within pfSense.

Of course using a separate box would mean no GUI, but that's how the vast majority of the world uses Suricata already (without a GUI).

tinfoilmatt

@btspce

Why isn't the pfsense supplied version following Suricata releases more closely?

The fading worthwhile use case of IDS/IPS aside, because it's not anyone-with-the-requisite-chops-to-keep-it-updated's priority, nor is it an official project package.

@bmeeks

I did send a detailed email a couple of weeks ago to the pfSense developer team letting them know of my retirement from package maintainer duties. They acknowledged receipt of the notice, so they are aware of the current package status (ditto for the Snort package, too).

End of an era. Thanks for all your contributions, Bill. You've done well more than the average bear.

fireodo

@bmeeks said in Suricata on Pfsense:

P.S. -- I did send a detailed email a couple of weeks ago to the pfSense developer team letting them know of my retirement from package maintainer duties. They acknowledged receipt of the notice, so they are aware of the current package status (ditto for the Snort package, too).

Hi Bill,

sad to see you "go", all the best for you, and a big THANKS for all you've done for Snort & Suricata!

Kind regards,
fireodo

bmeeks

Thanks guys! I'm not leaving pfSense nor the forum. I'm just retiring from active package maintenance.

I retired from my real job 11 years ago and I've been away from the cybersecurity industry long enough to be "out of date" with some of my knowledge . Time to turn over the reins to the younger generation.

fireodo

@bmeeks said in Suricata on Pfsense:

Time to turn over the reins to the younger generation.

I hope there will be a worthy successor

JonathanLee

@bmeeks your work outclasses so many individuals and developers. Your stuff is amazing. Cheers

SteveITS

FWIW there were two commits last week and 7.0.8_3 is available.

NRgia

@btspce your redmine ticket was closed. It seems..."this is the way".

Suricata binary 7.0.11 is now available. Thank you

bmeeks

Just FYI -- upstream released 7.0.12 yesterday.

btspce

@NRgia Saw that pfblockerng, suricata (7.0.11) and other packages had updates availible yesterday but when I went to do the updates a few hours later there was none to be found? Netgate seems to have pulled the updates for one reason or another.

NRgia

@btspce I noticed those updates also, and they were pulled after some time. Maybe the code from Develop was pulled by mistake, and quickly removed.

For Suricata, if you reinstall the package, 7.0.11 binary will be installed, instead of 7.0.8.

Also I think we will need yet another ticket, for Suricata 7.0.12 as @bmeeks pointed out.