Snort and Suricata package versions
-
After a bit of a discussion on Reddit (https://www.reddit.com/r/PFSENSE/comments/5mrqwm/what_featurespackages_do_you_use_home/) about whether or not Suricata is maintained on pfSense, I thought it might be good to have a discussion about updates and would appreaciate bmeeks input (and anyone else)
Personally I feel the version of Suricata currently on pfSense is adequate for most users, but it is not current. Same with Snort.
Cisco is much more stringent about Snort end of life and it does seem as if the pfSense version is always kept up to date enough to be within the Snort EoL matrix so it can continue to get rule updates.
Is there a release timeline for updated the pfSense packages to new versions of Snort and Suricata? I (think) bmeeks is a volunteer, so that may be a lot to ask of him to commit to something like that, but even a general timeline would be helpful for some.
Again, I'd like to make it clear that I'm very thankful for bmeeks and the rest of the pfSense team's work and am not demanding anything more of them, but wanted to try to start a discussion about what the community could expect in terms of updates to these packages.
-
Updates to both packages (on the binary side) tend to happen as soon as possible after the ports tree in FreeBSD is updated. The pfSense team wants to pull packages from the FreeBSD ports tree and does not want to get out of sync with the ports tree version wise. So shortly after the FreeBSD ports maintainer for Snort or Suricata updates the package there, I try to submit a PR to migrate the update to pfSense. There is a custom module others wrote for Snort that I now maintain, and a variation of that module that I wrote and maintain for Suricata. The custom module handles the blocking mode in Snort and Legacy blocking mode in Suricata. I have had to make some slight adjustments from time to time to keep the custom module working through binary upstream updates. So it is not an automatic thing to migrate upstream updates to the pfSense packages. I have to make sure the custom module will still compile without errors (it is a patch to the upstream source).
You are correct that Snort seems to have priority because I do endeavor to keep it current enough so rules updates from the Snort VRT work. I would also keep Suricata more current, but the FreeBSD port maintainer for Suricata frequently falls behind upstream's version and there can be a lengthly lag in updates. I wait on the pfSense side until the FreeBSD port updates before submitting a pull request to the pfSense team.
Bill
-
Thank you for all you do Bill :D
-
Thanks bmeeks, again appreciate all your hard work.
I'm not too familiar with FreeBSD ports, but it looks to me like the FreeBSD Port for Suricata is up to 3.1.2, and pfSense is still on 3.0, am I reading that right? If so any estimate on when the pfSense package will be updated? (Although maybe best to wait a bit longer as 3.2 was released last month, but FreeBSD port isn't updated yet)
Thanks again for helping me understand the update process.
-
Thanks bmeeks, again appreciate all your hard work.
I'm not too familiar with FreeBSD ports, but it looks to me like the FreeBSD Port for Suricata is up to 3.1.2, and pfSense is still on 3.0, am I reading that right? If so any estimate on when the pfSense package will be updated? (Although maybe best to wait a bit longer as 3.2 was released last month, but FreeBSD port isn't updated yet)
Thanks again for helping me understand the update process.
The version number in the pfSense packages repository refers to the GUI package and not the underlying binary at the moment. There is also a difference in binary versions between the 2.4-BETA snapshot of pfSense and the 2.3.2 production version. The snapshots are runing 3.1.2 of the Suricata binary.
You can verify the Suricata binary version using this command line –
suricata -V
Bill
-
suricata 3.1.2 is now available on pfSense 2.3.2