Suricata update to the new 2.0.9 binary is coming soon

bmeeks · Nov 10, 2015, 4:30 AM

I have submitted a Pull Request for review by the pfSense team that will update Suricata to the latest 2.0.9 binary version. The new update also fixes an older GUI issue and implements optional X-Forwarded-For logging for Unified2 output to Barnyard. Details can be found in the Pull Request on Github: https://github.com/pfsense/pfsense-packages/pull/1148. Once the request is reviewed and approved, a new Suricata version will show up under System > Packages > Installed Packages.

An update to 2.9.7.6 for Snort is next on my TODO list.

Bill

bmeeks · Nov 10, 2015, 2:48 PM

The update for Suricata has been merged and is now available for users to install. The Suricata binary is now v2.0.9 and the GUI package is v2.1.9.

Bill

nug · Nov 11, 2015, 1:16 AM

This update seems to have broken my barnyard2/Snorby setup from Suricata. Now when I try to start the barnyard2 service for an interface I get:

Nov 11 08:57:53 barnyard2[93466]: Barnyard2 exiting
Nov 11 08:57:53 barnyard2[93466]: FATAL ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mysql' support. If this build of barnyard2 was compiled by you, then re-run the the ./configure script using the '–with-mysql' switch. For non-standard installations of a database, the '--with-mysql=DIR' syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
Nov 11 08:57:53 barnyard2[93466]: ERROR database: 'mysql' support is not compiled into this build of snort

Has anyone else experienced this?

bmeeks · Nov 11, 2015, 1:08 PM

@nug:

This update seems to have broken my barnyard2/Snorby setup from Suricata. Now when I try to start the barnyard2 service for an interface I get:

Nov 11 08:57:53 barnyard2[93466]: Barnyard2 exiting
Nov 11 08:57:53 barnyard2[93466]: FATAL ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mysql' support. If this build of barnyard2 was compiled by you, then re-run the the ./configure script using the '–with-mysql' switch. For non-standard installations of a database, the '--with-mysql=DIR' syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
Nov 11 08:57:53 barnyard2[93466]: ERROR database: 'mysql' support is not compiled into this build of snort

Has anyone else experienced this?

Oops! I think I know what might be the problem, but I need to correspond with the pfSense developers who build the ports. I believe some options knobs are being ignored during the build process. One that that is specifically enabled is MySQL support in Barnyard2, but apparently it didn't actually get enabled. I missed it during testing because I have temporarily shutdown my Snorby system and forgot to test the new PBI for MySQL connections.

Let me have the pfSense team rebuild the PBIs for Suricata and see if that helps.

Bill

nug · Nov 12, 2015, 1:18 AM

Ah, cool. Thanks for following up!

Azgarech · Nov 12, 2015, 7:47 AM

I got the exact same troubles with Barnyard2 and Snorby. I will follow the topic. For now I I will do a tail -f on some terminal to follow it up :D

bmeeks · Nov 13, 2015, 12:01 AM

I posted a Pull Request yesterday with the fix and it was approved and merged. It looks like the rebuild of the PBIs with the new MAKE options has not yet happened. I will get with the pfSense team to see what's up. You can look for new PBIs here: https://files.pfsense.org/packages/10/All/.

You would be looking for a suricata-2.0.9-*.pbi file (matching your architecture) with a build date of November 12, 2015 or later.

Bill

bmeeks · Nov 12, 2015, 4:58 PM

Updated PBI binary packages have been posted for Suricata. If you had problems with Barnyard2 and no MySQL support, try removing the Suricata package completely and then installing again. You won't lose your settings so long as the "Keep Settings" checkbox on the GLOBAL tab is checked.

Bill

nug · Nov 13, 2015, 2:45 AM

Bang! All done. Thanks very much for this mate.

Hey just a quick question.. Does Snorby end up going back and filling in the few days that were missing or is there a way I can force it to do that? Suricata was still running during this time and has all of the alerts in the system.

bmeeks · Nov 13, 2015, 4:20 PM

@nug:

Bang! All done. Thanks very much for this mate.

Hey just a quick question.. Does Snorby end up going back and filling in the few days that were missing or is there a way I can force it to do that? Suricata was still running during this time and has all of the alerts in the system.

Barnyard2 should see the unified2 alert logs and start sending them over if they have not been auto-archived yet. You might have to reset the place keeper by removing/resetting the waldo file. You can probably find some more details on the web with a little searching.

Bill