Suricata Package Updated to 3.1.2 – Release Notes

A Former User

"Worth others checking to see if this is a bug or just restricted to my system."
Same here. Cleared up after uninstall then install. Had in General system log ,kernel netmap bad pkg messages. It may have not loaded the binary properly. Good catch.  ;)

bmeeks

@gsiemon:

Bill,

I've just uninstalled and reinstalled the package and its now showing

This is Suricata version 3.1.2 RELEASE  

I didn't look closely at the first package upgrade log, but it appears that may not have pulled down the updated binary.

Worth others checking to see if this is a bug or just restricted to my system.

I'm not sure exactly what time today the 2.3.x pfSense package repository updated with the new Suricata binary.  It could be you caught it in between the update of the GUI packge and the compilation and post of the updated binary.

Bill

gsiemon

@bmeeks:

I'm not sure exactly what time today the 2.3.x pfSense package repository updated with the new Suricata binary.  It could be you caught it in between the update of the GUI packge and the compilation and post of the updated binary.

Bill

Thanks Bill.  Its possible.  I upgraded the package only a few minutes before I posted, so a good 8 hours after your post.

doktornotor

$ suricata -V
This is Suricata version 3.1.2 RELEASE

Looks just fine on 2.3.3 snapshots.

dhboyd26

I also had to uninstall, then reinstall to get the binary to update.  Not sure why, but it appears to not want to update the binary if it is already there.  All other bits and pieces of the GUI appeared fine, just no Suricate binary upgrade.

Working now, thanks bmeeks!

n3by

Thank you for pointing this update problem.

I updated Suricata today without any problem, I did not checked until now when it reveal v 3.0.
Uninstalled and reinstalled and now is on v 3.1.2

bmeeks

I'll relay this issue to Renato on the pfSense team.  He handles the binary packages stuff.  Thanks for the reports.

Edit: added a new caution to the Release Notes post at the start of this thread.

Bill

doktornotor

Hmmm, odd since I did not uninstall before upgrade for sure.

mind12

Hello,

please help me understand the new Inline mode passlist feature.

My questions are:

• How can I find the generated PASS rules in the GUI? I found them through the CLI by searching for the passlist.rules file.

• By default Suricata uses the default passlist on the running interfaces and it includes the local networks. Does this mean that all the traffic inbound and outbound from those networks will be ignored and passed by Suricata? If yes (I assume because Suricata ALERTS stopped after I upgraded to the new version and appeared after modifying the passlist), I would definitely instruct users to modify the default passlist or Suricata will be non-effective.

Thank you in advance.

bmeeks

@mind12:

Hello,

please help me understand the new Inline mode passlist feature.

My questions are:

• How can I find the generated PASS rules in the GUI? I found them through the CLI by searching for the passlist.rules file.

• By default Suricata uses the default passlist on the running interfaces and it includes the local networks. Does this mean that all the traffic inbound and outbound from those networks will be ignored and passed by Suricata? If yes (I assume because Suricata ALERTS stopped after I upgraded to the new version and appeared after modifying the passlist), I would definitely instruct users to modify the default passlist or Suricata will be non-effective.

Thank you in advance.

Currently the PASS rules cannot be viewed directly in the GUI.  I can see about adding that as a new feature in an upcoming update.

You are correct that Pass List hosts will not generate blocks or alerts currently with the default rule action order being PASS, DROP, REJECT then ALERT.  The Pass List can be customized quite easily by creating a list and checking/unchecking the options on the pass list creation page.  You can create an alias to hold an essentially unlimited number of other custom addresses.  Remember aliases can be nested, so you can create a single alias to reference in the Pass List and then put all other aliases you want included within that single alias.

You can see the addresses and networks that will be in the new auto-PASS rules with inline IPS mode by going to the INTERFACE SETTINGS tab for the interface and scrolling down to the Pass List section.  There is a button there for viewing the contents of the pass list (the IP addresses and networks).  While it won't show the exact PASS rules, any IP address shown there will get translated into a PASS rule.

You can remove Local Networks and other defaults from the Pass List when you create your own.  Just be aware that those hosts can then become blocked, and that may not be what you really want in all cases.  Generally speaking it is external traffic you are trying to block.  There is likely some room for improvement in how the new auto-Pass List feature is implemented.

Bill

ntct

Hi Bill,

How to donate this package??  :)

mind12

@bmeeks:

@mind12:

Hello,

please help me understand the new Inline mode passlist feature.

My questions are:

• How can I find the generated PASS rules in the GUI? I found them through the CLI by searching for the passlist.rules file.

• By default Suricata uses the default passlist on the running interfaces and it includes the local networks. Does this mean that all the traffic inbound and outbound from those networks will be ignored and passed by Suricata? If yes (I assume because Suricata ALERTS stopped after I upgraded to the new version and appeared after modifying the passlist), I would definitely instruct users to modify the default passlist or Suricata will be non-effective.

Thank you in advance.

Currently the PASS rules cannot be viewed directly in the GUI.  I can see about adding that as a new feature in an upcoming update.

You are correct that Pass List hosts will not generate blocks or alerts currently with the default rule action order being PASS, DROP, REJECT then ALERT.  The Pass List can be customized quite easily by creating a list and checking/unchecking the options on the pass list creation page.  You can create an alias to hold an essentially unlimited number of other custom addresses.  Remember aliases can be nested, so you can create a single alias to reference in the Pass List and then put all other aliases you want included within that single alias.

You can see the addresses and networks that will be in the new auto-PASS rules with inline IPS mode by going to the INTERFACE SETTINGS tab for the interface and scrolling down to the Pass List section.  There is a button there for viewing the contents of the pass list (the IP addresses and networks).  While it won't show the exact PASS rules, any IP address shown there will get translated into a PASS rule.

You can remove Local Networks and other defaults from the Pass List when you create your own.  Just be aware that those hosts can then become blocked, and that may not be what you really want in all cases.  Generally speaking it is external traffic you are trying to block.  There is likely some room for improvement in how the new auto-Pass List feature is implemented.

Bill

Thank you for the information.
One side note:
Yes we are trying to block usually external traffic but if you leave the local networks in the default passlist you won't block any external traffic at all. The passlist will allow all the traffic FROM and TO the local networks. We can't change this behavior because in the generated rules the sources and the destinations are any any.
ie:```
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000001;)

Redyr

@bmeeks:

@mind12:

Hello,

please help me understand the new Inline mode passlist feature.

My questions are:

• How can I find the generated PASS rules in the GUI? I found them through the CLI by searching for the passlist.rules file.

• By default Suricata uses the default passlist on the running interfaces and it includes the local networks. Does this mean that all the traffic inbound and outbound from those networks will be ignored and passed by Suricata? If yes (I assume because Suricata ALERTS stopped after I upgraded to the new version and appeared after modifying the passlist), I would definitely instruct users to modify the default passlist or Suricata will be non-effective.

Thank you in advance.

Currently the PASS rules cannot be viewed directly in the GUI.  I can see about adding that as a new feature in an upcoming update.

You are correct that Pass List hosts will not generate blocks or alerts currently with the default rule action order being PASS, DROP, REJECT then ALERT.  The Pass List can be customized quite easily by creating a list and checking/unchecking the options on the pass list creation page.  You can create an alias to hold an essentially unlimited number of other custom addresses.  Remember aliases can be nested, so you can create a single alias to reference in the Pass List and then put all other aliases you want included within that single alias.

You can see the addresses and networks that will be in the new auto-PASS rules with inline IPS mode by going to the INTERFACE SETTINGS tab for the interface and scrolling down to the Pass List section.  There is a button there for viewing the contents of the pass list (the IP addresses and networks).  While it won't show the exact PASS rules, any IP address shown there will get translated into a PASS rule.

You can remove Local Networks and other defaults from the Pass List when you create your own.  Just be aware that those hosts can then become blocked, and that may not be what you really want in all cases.  Generally speaking it is external traffic you are trying to block.  There is likely some room for improvement in how the new auto-Pass List feature is implemented.

Bill

Hello Bill,

Thank you for making Suricata 3.1.2 possible. Some of us, including me wanted this to happen, and as usual with new stuff things can go wrong, I understand. I will give you a feedback in regards to the new version, because right now I keep it disabled, due to issues that @mind12 reported.

1. First the pass list includes all the network ranges plus 2 external IPs marked in red, which are not mine, not my ISP's, just external hosts…Why Suricata will include those by default? - Please see the attached picture.

2. The pass list for WAN and for LAN contains the same list of IPs, is it ok?

3. If I try to manually edit the pass list file, the same IPs will be present next time I restart the service.

4. If I try to manually create a custom pass list, the GUI will say the alias is not eligible. Please see the attached Screenshot. What kind of alias should I define? I tried all the types.

5. If Suricata is enabled, no traffic will be analyzed, and I cannot change that default pass list, even if I delete it, it will be re-written.

6. I tried to uninstall Suricata, and I unchecked the "Settings will not be removed during package deinstallation." option. Why after reinstalling the same configuration is still present? I notice this with other packages for eg. Squid

7. Also which IPs should I include in the pass list for WAN or for LAN in order to be safe, and not get blocked?

8. The suppresed user rules from 3.0 version, are now present in Wansurpress and Lansurpress lists, but the Suricata log states that "no such rules are present"

Please take your time, and come back with some hints.


mind12

Hi Redyr,

Regarding creating a custom Passlist:

• first create an alias at Firewall/Aliases/IP menu containing the networks that you would like to always pass (ie. I used - firewall interfaces, dnsbl address), don't add the protected local networks to it
• go to services/suricata/pass lists, create a new list and add the alias to it
• go to the suricata interface settings and pick the created list
• save and restart suricata

These steps worked for me.

Redyr

10x @mind12 , I'll try what you suggested

bmeeks

@ntct:

Hi Bill,

How to denote this package??  :)

I don't understand your question.  Can you clarify what you mean by "denote"?

Thanks,
Bill

bmeeks

@mind12:

Thank you for the information.
One side note:
Yes we are trying to block usually external traffic but if you leave the local networks in the default passlist you won't block any external traffic at all. The passlist will allow all the traffic FROM and TO the local networks. We can't change this behavior because in the generated rules the sources and the destinations are any any.
ie:```
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000001;)

You are correct.  This is my mistake.  Should have used the options of SRC, DST or BOTH as part of the logic when generating the PASS rules.  Using "any" and "any" for the SRC and DST is not good.  Let me think this over in my head and fix it, but I need to think about it carefully.  Any suggestions from users are welcomed!

Bill

bmeeks

@Redyr:

Hello Bill,

Thank you for making Suricata 3.1.2 possible. Some of us, including me wanted this to happen, and as usual with new stuff things can go wrong, I understand. I will give you a feedback in regards to the new version, because right now I keep it disabled, due to issues that @mind12 reported.

1. First the pass list includes all the network ranges plus 2 external IPs marked in red, which are not mine, not my ISP's, just external hosts…Why Suricata will include those by default? - Please see the attached picture.

2. The pass list for WAN and for LAN contains the same list of IPs, is it ok?

3. If I try to manually edit the pass list file, the same IPs will be present next time I restart the service.

4. If I try to manually create a custom pass list, the GUI will say the alias is not eligible. Please see the attached Screenshot. What kind of alias should I define? I tried all the types.

5. If Suricata is enabled, no traffic will be analyzed, and I cannot change that default pass list, even if I delete it, it will be re-written.

6. I tried to uninstall Suricata, and I unchecked the "Settings will not be removed during package deinstallation." option. Why after reinstalling the same configuration is still present? I notice this with other packages for eg. Squid

7. Also which IPs should I include in the pass list for WAN or for LAN in order to be safe, and not get blocked?

8. The suppresed user rules from 3.0 version, are now present in Wansurpress and Lansurpress lists, but the Suricata log states that "no such rules are present"

Please take your time, and come back with some hints.

When using inline IPS mode, those pass list files you see are generated but not used.  All of the Pass List IP address stuff is stored in the config.xml file of the firewall in the section for the Suricata package.  In fact pretty much all of the configuration information is stored there.  Each time you save a change in the GUI or start/restart Suricata from the INTERFACES tab in the GUI, the configuration information is read from the config.xml file of the firewall and written to the various Suricata configuration files.  So any manual edit you make to suricata.yaml or any pass list or any threshold list will be overwritten the next time you save a change in the GUI or start/restart Suricate from the GUI.

As for the new Pass List functionality for IPS mode –

It uses PASS rules generated automatically  and written to a new file called passlist.rules in the /rules sub-directory of each interface.  This is explained in the long notes I posted as part of the Release Notes at the top of this thread.  So inline IPS mode totally ignores the pass list file you see in each interface sub-directory.  That file is only used by Legacy mode.  It is still created with IPS mode, but then it is just ignored.

I will see about fixing the issues with the new PASS rules.  I was hurrying the update and I did not clearly think through the ramifications of my "fix" for Pass Lists in IPS mode.

Bill

bmeeks

@mind12:

Hi Redyr,

Regarding creating a custom Passlist:

• first create an alias at Firewall/Aliases/IP menu containing the networks that you would like to always pass (ie. I used - firewall interfaces, dnsbl address), don't add the protected local networks to it
• go to services/suricata/pass lists, create a new list and add the alias to it
• go to the suricata interface settings and pick the created list
• save and restart suricata

These steps worked for me.

+1.  @mind12 is correct.  This is the way to handle customizing the Pass List.  I will work on correcting the "any" <> "any" problem I created in the PASS rules.  I will also add an option in the GUI to completely disable the "default" pass list so it will not get in the way of any customized list.

Bill

Redyr

@bmeeks:

@mind12:

Hi Redyr,

Regarding creating a custom Passlist:

• first create an alias at Firewall/Aliases/IP menu containing the networks that you would like to always pass (ie. I used - firewall interfaces, dnsbl address), don't add the protected local networks to it
• go to services/suricata/pass lists, create a new list and add the alias to it
• go to the suricata interface settings and pick the created list
• save and restart suricata

These steps worked for me.

+1.  @mind12 is correct.  This is the way to handle customizing the Pass List.  I will work on correcting the "any" <> "any" problem I created in the PASS rules.  I will also add an option in the GUI to completely disable the "default" pass list so it will not get in the way of any customized list.

Bill

Thanks again