Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed

    Scheduled Pinned Locked Moved pfSense Packages
    24 Posts 9 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @GoldServe:

      When choosing to log to system log and ultimately sending out to remote syslog, the process ends up as garabage sometimes.

      See example in pFsense log files:

      M-^AM-^AVë^R:d[73902]: [1:2008974:9] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.10.157:55057 -> 216.115.208.199:80
      

      That could be a bug (hopefully a fixed one in the current stable release) in the Suricata binary itself.  Nothing in the GUI package alters the syslog output content.  That comes straight from the binary.  The current pfSense package uses version 1.4.6 of Suricata.  I am almost ready to release an update based on the current 2.0.2-RELEASE version.

      Some research on the Suricata site for all the bug fixes incorporated during the progression from 1.4.6 to 1.4.7 to 2.0 to 2.0.1 and finally 2.0.2 will be needed to see if this bug got identified and fixed.  I will do a quick review as part of what the update I'm working on.

      Bill

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @wcrowder:

        The directory for the second file is wrong in your post. It's:

        /usr/local/www/suricata/suricata_check_for_rule_updates.php

        Thanks again for your hard work.

        Yep.  My bad.  I gave what will be the "new path" in the upcoming update.  I'm moving some of the configuration update files that don't have a GUI login interface to a non-public directory in the web folder structure.

        @wcrowder:

        Thank you that worked! I did this earlier, my mistake is i CHANGED the URL… :)

        Yeah, a day or two after the snort.org web site update, they put back a workaround that lets the old URLs continue to work for a year.  If you change the URL, you also have to change the code to generate and use a HTML query string to pass the oinkcode instead of including it as part of the URL path.

        Thanks for posting the correction…all of this is fixed properly in the upcoming Suricata update.

        Bill

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Zombie "ET POLICY PE EXE or DLL Windows file download " (2000419) is back.

          Rule is disabled on the ET policy tab. BUT rule is enabled on the auto-flow bit tab, which makes me think something is depending on it and it gets enabled automatically. Thankfully the rule didn't fire on akamai causing the dreaded "THE INTERNET IS DOWN!" calls (and my " It's because the holocaust is here!" response). Nope, because nobody would be stupid enough to create a rule that fires up when updating the same OS it's designed to protect. Right?

          Makes me think the ET rules are no longer maintained sometimes. That or greed got to them since most of their updates are for the PRO rules. They have to remove 40 rules from the free rules, and I've been screaming my head of at them for the past couple of years to do it. Seems they are one of the "WTF? ARE YOU TELLING ME HOW TO DO MY JOB?!?!?" type.

          Enough of my off topic  ;D

          I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            @jflsakfja:

            I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.

            I took a look at my Snort Setup and I have that Rule Disabled and there are no Suppressions listed in my WAN Suppress List.

            It doesn't look like there have been any changes to that rule since 08/19/2013
            http://doc.emergingthreats.net/bin/view/Main/2000419

            Maybe something else is causing this issue?

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @jflsakfja:

                All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p

                The auto-flowbit logic runs through all the enabled rules looking for flowbit "isset" keywords.  It then creates an array of required flowbits.  Next, it looks at that list of required flowbits and finds all the rules that "set" those flowbits and enables them.  Well, it actually just puts them in the separate auto-flowbits rules file.  That file is loaded along with the main rules file when Suricata (or Snort) starts.  So it in effect gets 'enabled' by getting included in the separate auto-flowbits rules file.

                Could be that an update somewhere tinkered with a flowbit dependency in one of the rules.

                Bill

                1 Reply Last reply Reply Quote 0
                • W
                  wcrowder
                  last edited by

                  Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

                  I know, I know, I need a life...  ;D

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    Hang in there, it's coming don't worry. Give bmeeks time to get it ready, and you'll not regret it.

                    Happens to me too. Everyday I check for updates to debian jessie, even though I know it's coming april-may next year. It's caused by being completely satisfied with a software you use ;D

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @wcrowder:

                      Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

                      I know, I know, I need a life...  ;D

                      I'm working on it feverishly and am almost done.  I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs.  The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it.  Just give me a little more time to get it done.

                      Here are new features coming in the package –

                      1. ALERT tab view filtering so you can view only alerts matching specified criteria
                      2. Support for CARP Sync of master to slaves
                      3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
                      4. Support for Suricata IP Reputation Lists (this is not yet started, though)
                      5. Support for new EVE JSON logging output option for Suricata 2.0.x
                      6. Support for new DNS event logging output option for Suricata 2.0.x
                      7. Support for all the new application layer parsers in Suricata 2.0.x
                      8. Ability to specify syslog facility for Suricata output to either the local or remote syslog

                      The above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads.  Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started.  My target is to finish, test and then post the Pull Request towards the end of this upcoming week.  If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • D
                        digdug3
                        last edited by

                        Great! Please take your time! And I agree, if #4 takes to much time it can wait for the next release.

                        1 Reply Last reply Reply Quote 0
                        • Z
                          zerodamage
                          last edited by

                          @bmeeks:

                          @wcrowder:

                          Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

                          I know, I know, I need a life...  ;D

                          I'm working on it feverishly and am almost done.  I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs.  The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it.  Just give me a little more time to get it done.

                          Here are new features coming in the package –

                          1. ALERT tab view filtering so you can view only alerts matching specified criteria
                          2. Support for CARP Sync of master to slaves
                          3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
                          4. Support for Suricata IP Reputation Lists (this is not yet started, though)
                          5. Support for new EVE JSON logging output option for Suricata 2.0.x
                          6. Support for new DNS event logging output option for Suricata 2.0.x
                          7. Support for all the new application layer parsers in Suricata 2.0.x
                          8. Ability to specify syslog facility for Suricata output to either the local or remote syslog

                          The above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads.  Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started.  My target is to finish, test and then post the Pull Request towards the end of this upcoming week.  If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.

                          Bill

                          Fantastic!  Thank you for everything. I Like this much better than the Snort package.

                          1 Reply Last reply Reply Quote 0
                          • R
                            RedAntz
                            last edited by

                            Hi bmeeks,

                            First of all thank you for developing Suricata package.

                            I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General

                            suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
                            

                            Not sure if this is a known issue. Please let me know you require more information.

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @RedAntz:

                              Hi bmeeks,

                              First of all thank you for developing Suricata package.

                              I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General

                              suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
                              

                              Not sure if this is a known issue. Please let me know you require more information.

                              Do you have a PPPoE type interface on your WAN?  If so, those are not well supported by Suricata (at least not the older 1.4.6 version).  Several folks have reported issues with PPPoE and the Suricata package.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • R
                                RedAntz
                                last edited by

                                @bmeeks:

                                Do you have a PPPoE type interface on your WAN?  If so, those are not well supported by Suricata (at least not the older 1.4.6 version).  Several folks have reported issues with PPPoE and the Suricata package.

                                Bill

                                Hi Bill,

                                Yes. PPPoE on my WAN interface.

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @wcrowder:

                                  Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

                                  I know, I know, I need a life...  ;D

                                  Final testing is almost completed.  I posted a preview thread showing some screenshots of the new features coming in the updated package.  Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.