Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed
-
Thank you that worked! I did this earlier, my mistake is i CHANGED the URL… :)
The directory for the second file is wrong in your post. It's:
/usr/local/www/suricata/suricata_check_for_rule_updates.php
Thanks again for your hard work.
-
When choosing to log to system log and ultimately sending out to remote syslog, the process ends up as garabage sometimes.
See example in pFsense log files:
M-^AM-^AVë^R:d[73902]: [1:2008974:9] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.10.157:55057 -> 216.115.208.199:80
-
When choosing to log to system log and ultimately sending out to remote syslog, the process ends up as garabage sometimes.
See example in pFsense log files:
M-^AM-^AVë^R:d[73902]: [1:2008974:9] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.10.157:55057 -> 216.115.208.199:80
That could be a bug (hopefully a fixed one in the current stable release) in the Suricata binary itself. Nothing in the GUI package alters the syslog output content. That comes straight from the binary. The current pfSense package uses version 1.4.6 of Suricata. I am almost ready to release an update based on the current 2.0.2-RELEASE version.
Some research on the Suricata site for all the bug fixes incorporated during the progression from 1.4.6 to 1.4.7 to 2.0 to 2.0.1 and finally 2.0.2 will be needed to see if this bug got identified and fixed. I will do a quick review as part of what the update I'm working on.
Bill
-
The directory for the second file is wrong in your post. It's:
/usr/local/www/suricata/suricata_check_for_rule_updates.php
Thanks again for your hard work.
Yep. My bad. I gave what will be the "new path" in the upcoming update. I'm moving some of the configuration update files that don't have a GUI login interface to a non-public directory in the web folder structure.
Thank you that worked! I did this earlier, my mistake is i CHANGED the URL… :)
Yeah, a day or two after the snort.org web site update, they put back a workaround that lets the old URLs continue to work for a year. If you change the URL, you also have to change the code to generate and use a HTML query string to pass the oinkcode instead of including it as part of the URL path.
Thanks for posting the correction…all of this is fixed properly in the upcoming Suricata update.
Bill
-
Zombie "ET POLICY PE EXE or DLL Windows file download " (2000419) is back.
Rule is disabled on the ET policy tab. BUT rule is enabled on the auto-flow bit tab, which makes me think something is depending on it and it gets enabled automatically. Thankfully the rule didn't fire on akamai causing the dreaded "THE INTERNET IS DOWN!" calls (and my " It's because the holocaust is here!" response). Nope, because nobody would be stupid enough to create a rule that fires up when updating the same OS it's designed to protect. Right?
Makes me think the ET rules are no longer maintained sometimes. That or greed got to them since most of their updates are for the PRO rules. They have to remove 40 rules from the free rules, and I've been screaming my head of at them for the past couple of years to do it. Seems they are one of the "WTF? ARE YOU TELLING ME HOW TO DO MY JOB?!?!?" type.
Enough of my off topic ;D
I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.
-
@jflsakfja:
I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.
I took a look at my Snort Setup and I have that Rule Disabled and there are no Suppressions listed in my WAN Suppress List.
It doesn't look like there have been any changes to that rule since 08/19/2013
http://doc.emergingthreats.net/bin/view/Main/2000419Maybe something else is causing this issue?
-
All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p
-
@jflsakfja:
All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p
The auto-flowbit logic runs through all the enabled rules looking for flowbit "isset" keywords. It then creates an array of required flowbits. Next, it looks at that list of required flowbits and finds all the rules that "set" those flowbits and enables them. Well, it actually just puts them in the separate auto-flowbits rules file. That file is loaded along with the main rules file when Suricata (or Snort) starts. So it in effect gets 'enabled' by getting included in the separate auto-flowbits rules file.
Could be that an update somewhere tinkered with a flowbit dependency in one of the rules.
Bill
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
-
Hang in there, it's coming don't worry. Give bmeeks time to get it ready, and you'll not regret it.
Happens to me too. Everyday I check for updates to debian jessie, even though I know it's coming april-may next year. It's caused by being completely satisfied with a software you use ;D
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
I'm working on it feverishly and am almost done. I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs. The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it. Just give me a little more time to get it done.
Here are new features coming in the package –
1. ALERT tab view filtering so you can view only alerts matching specified criteria
2. Support for CARP Sync of master to slaves
3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
4. Support for Suricata IP Reputation Lists (this is not yet started, though)
5. Support for new EVE JSON logging output option for Suricata 2.0.x
6. Support for new DNS event logging output option for Suricata 2.0.x
7. Support for all the new application layer parsers in Suricata 2.0.x
8. Ability to specify syslog facility for Suricata output to either the local or remote syslogThe above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads. Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started. My target is to finish, test and then post the Pull Request towards the end of this upcoming week. If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.
Bill
-
Great! Please take your time! And I agree, if #4 takes to much time it can wait for the next release.
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
I'm working on it feverishly and am almost done. I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs. The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it. Just give me a little more time to get it done.
Here are new features coming in the package –
1. ALERT tab view filtering so you can view only alerts matching specified criteria
2. Support for CARP Sync of master to slaves
3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
4. Support for Suricata IP Reputation Lists (this is not yet started, though)
5. Support for new EVE JSON logging output option for Suricata 2.0.x
6. Support for new DNS event logging output option for Suricata 2.0.x
7. Support for all the new application layer parsers in Suricata 2.0.x
8. Ability to specify syslog facility for Suricata output to either the local or remote syslogThe above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads. Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started. My target is to finish, test and then post the Pull Request towards the end of this upcoming week. If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.
Bill
Fantastic! Thank you for everything. I Like this much better than the Snort package.
-
Hi bmeeks,
First of all thank you for developing Suricata package.
I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General
suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
Not sure if this is a known issue. Please let me know you require more information.
-
Hi bmeeks,
First of all thank you for developing Suricata package.
I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General
suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
Not sure if this is a known issue. Please let me know you require more information.
Do you have a PPPoE type interface on your WAN? If so, those are not well supported by Suricata (at least not the older 1.4.6 version). Several folks have reported issues with PPPoE and the Suricata package.
Bill
-
Do you have a PPPoE type interface on your WAN? If so, those are not well supported by Suricata (at least not the older 1.4.6 version). Several folks have reported issues with PPPoE and the Suricata package.
Bill
Hi Bill,
Yes. PPPoE on my WAN interface.
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
Final testing is almost completed. I posted a preview thread showing some screenshots of the new features coming in the updated package. Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0
Bill