Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed
-
@jflsakfja:
I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.
I took a look at my Snort Setup and I have that Rule Disabled and there are no Suppressions listed in my WAN Suppress List.
It doesn't look like there have been any changes to that rule since 08/19/2013
http://doc.emergingthreats.net/bin/view/Main/2000419Maybe something else is causing this issue?
-
All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p
-
@jflsakfja:
All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p
The auto-flowbit logic runs through all the enabled rules looking for flowbit "isset" keywords. It then creates an array of required flowbits. Next, it looks at that list of required flowbits and finds all the rules that "set" those flowbits and enables them. Well, it actually just puts them in the separate auto-flowbits rules file. That file is loaded along with the main rules file when Suricata (or Snort) starts. So it in effect gets 'enabled' by getting included in the separate auto-flowbits rules file.
Could be that an update somewhere tinkered with a flowbit dependency in one of the rules.
Bill
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
-
Hang in there, it's coming don't worry. Give bmeeks time to get it ready, and you'll not regret it.
Happens to me too. Everyday I check for updates to debian jessie, even though I know it's coming april-may next year. It's caused by being completely satisfied with a software you use ;D
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
I'm working on it feverishly and am almost done. I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs. The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it. Just give me a little more time to get it done.
Here are new features coming in the package –
1. ALERT tab view filtering so you can view only alerts matching specified criteria
2. Support for CARP Sync of master to slaves
3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
4. Support for Suricata IP Reputation Lists (this is not yet started, though)
5. Support for new EVE JSON logging output option for Suricata 2.0.x
6. Support for new DNS event logging output option for Suricata 2.0.x
7. Support for all the new application layer parsers in Suricata 2.0.x
8. Ability to specify syslog facility for Suricata output to either the local or remote syslogThe above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads. Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started. My target is to finish, test and then post the Pull Request towards the end of this upcoming week. If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.
Bill
-
Great! Please take your time! And I agree, if #4 takes to much time it can wait for the next release.
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
I'm working on it feverishly and am almost done. I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs. The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it. Just give me a little more time to get it done.
Here are new features coming in the package –
1. ALERT tab view filtering so you can view only alerts matching specified criteria
2. Support for CARP Sync of master to slaves
3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
4. Support for Suricata IP Reputation Lists (this is not yet started, though)
5. Support for new EVE JSON logging output option for Suricata 2.0.x
6. Support for new DNS event logging output option for Suricata 2.0.x
7. Support for all the new application layer parsers in Suricata 2.0.x
8. Ability to specify syslog facility for Suricata output to either the local or remote syslogThe above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads. Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started. My target is to finish, test and then post the Pull Request towards the end of this upcoming week. If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.
Bill
Fantastic! Thank you for everything. I Like this much better than the Snort package.
-
Hi bmeeks,
First of all thank you for developing Suricata package.
I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General
suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
Not sure if this is a known issue. Please let me know you require more information.
-
Hi bmeeks,
First of all thank you for developing Suricata package.
I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General
suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
Not sure if this is a known issue. Please let me know you require more information.
Do you have a PPPoE type interface on your WAN? If so, those are not well supported by Suricata (at least not the older 1.4.6 version). Several folks have reported issues with PPPoE and the Suricata package.
Bill
-
Do you have a PPPoE type interface on your WAN? If so, those are not well supported by Suricata (at least not the older 1.4.6 version). Several folks have reported issues with PPPoE and the Suricata package.
Bill
Hi Bill,
Yes. PPPoE on my WAN interface.
-
Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here... :'(
I know, I know, I need a life... ;D
Final testing is almost completed. I posted a preview thread showing some screenshots of the new features coming in the updated package. Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0
Bill