Suricata 1.4.6 pkg v1.0.1 Update – Release Notes
-
Suricata 1.4.6 pkg v1.0.1
This update for the Suricata package corrects a bug in editing the interval for clearing blocked hosts. When editing the interval for clearing blocked hosts, Suricata would create a new cron task for the interval instead of updating the existing cron task. This could result in multiple cron tasks for clearing blocked hosts instead of the desired single task.
For this update, there is no requirement to remove and reinstall Suricata. Just click the XML icon to reinstall the GUI components.
UPDATE: updated Suricata binary PBI packages have been posted containing a back-ported fix for the "delayed-detect" bug and Suppress Lists. You can remove and reinstall Suricata to pick up the updated binary. This will let you enable "delayed-detect" if you wish and not have the Suppress List quit working.
Bug Fixes
-
When changing the interval for clearing the blocked hosts table, a new cron task is created for the new interval instead of updating the interval for the existing cron task.
-
When reinstalling Suricata from a previously saved configuration, the cron task for clearing the blocked hosts table is not enabled even if the setting is configured in the saved configuration file
New Features
- Added new option to INTERFACES tab for each interface to allow control of the delayed-detect parameter. This parameter now defaults to "off". It is used to allow Suricata to start passing traffic even before the rule signatures have been analyzed and loaded. This is useful in a pure IPS scenario only. The parameter was added to the pfSense package because, when off, it helps work around a bug in Suricata 1.4.6 where the Suppress List is parsed at the wrong time during a restart and subsequently does not work properly.
Bill
-
-
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now? -
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact, that mode is totally dependent upon the pfSense team making some edits within the pf and ipfw modules used on pfSense. I've had some e-mail conversations with them about that. To be honest, I don't sense a huge appetite for this feature from the team. The feedback I've gotten is the throughput will be low (topping out at maybe 50-70 megabits/sec). The analogy they suggested was to look at the performance of the current Layer 7 shaper. I've not tested the Layer 7 performance personally, so if someone else has, I would be interested in any throughput limits they may have noticed. Perhaps some input to the Core Team from other users would help sway the tide of opinion on inline mode… ;)
As for the Snort vs. Suricata thing: both appear to be quite good at what they do. Snort has the advantage for a newbie with its pre-defined IPS Policy settings. However, Suricata offers many more features for logging and subsequently viewing exactly what is traversing its sensors. The file capture feature, the HTTP logging, TLS logging, and some others can be very useful when inspecting an alert. There are also some new features in Suricata 2.0 like the eve-json logging stream to directly feed a SIEM. On balance, I believe Snort is easier to setup for a new user, but Suricata offers more features for an experienced user.
One last note on Suricata. I have the latest 2.0 release of the binary running on a pfSense VM. I created a PBI package that compiles and installs on 2.1.x of pfSense. The next step is to get all the new features of the 2.0 binary incorporated into the GUI. That's going to take a little while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
-
Sounds good Bill, just upgraded from Snort to Suricata. Working great :)
-
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact … ... while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
Thanks again Bill! This is exactly what I wanted to know. I'll move from Snort to Suricata when you release 2.0
Hope the pfsense team will make inline mode possible. I don't know how fast Suricata can be in inline mode with multi-core processors, but I'm sure some people already tested that. -
So the PFSense core team doesnt want true inline IPS….
Thats a scary thought!!!
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact, that mode is totally dependent upon the pfSense team making some edits within the pf and ipfw modules used on pfSense. I've had some e-mail conversations with them about that. To be honest, I don't sense a huge appetite for this feature from the team. The feedback I've gotten is the throughput will be low (topping out at maybe 50-70 megabits/sec). The analogy they suggested was to look at the performance of the current Layer 7 shaper. I've not tested the Layer 7 performance personally, so if someone else has, I would be interested in any throughput limits they may have noticed. Perhaps some input to the Core Team from other users would help sway the tide of opinion on inline mode… ;)
As for the Snort vs. Suricata thing: both appear to be quite good at what they do. Snort has the advantage for a newbie with its pre-defined IPS Policy settings. However, Suricata offers many more features for logging and subsequently viewing exactly what is traversing its sensors. The file capture feature, the HTTP logging, TLS logging, and some others can be very useful when inspecting an alert. There are also some new features in Suricata 2.0 like the eve-json logging stream to directly feed a SIEM. On balance, I believe Snort is easier to setup for a new user, but Suricata offers more features for an experienced user.
One last note on Suricata. I have the latest 2.0 release of the binary running on a pfSense VM. I created a PBI package that compiles and installs on 2.1.x of pfSense. The next step is to get all the new features of the 2.0 binary incorporated into the GUI. That's going to take a little while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
-
I don't think that the core team is against implementing a true in-line IPS. I think the issue is that it will slow the system down significantly.
If anyone has any suggestions on how to implement a true in-line IPS in FreeBSD without sacrificing too much throughput we all would benefit from it.
-
So the PFSense core team doesnt want true inline IPS….
Thats a scary thought!!!
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact, that mode is totally dependent upon the pfSense team making some edits within the pf and ipfw modules used on pfSense. I've had some e-mail conversations with them about that. To be honest, I don't sense a huge appetite for this feature from the team. The feedback I've gotten is the throughput will be low (topping out at maybe 50-70 megabits/sec). The analogy they suggested was to look at the performance of the current Layer 7 shaper. I've not tested the Layer 7 performance personally, so if someone else has, I would be interested in any throughput limits they may have noticed. Perhaps some input to the Core Team from other users would help sway the tide of opinion on inline mode… ;)
As for the Snort vs. Suricata thing: both appear to be quite good at what they do. Snort has the advantage for a newbie with its pre-defined IPS Policy settings. However, Suricata offers many more features for logging and subsequently viewing exactly what is traversing its sensors. The file capture feature, the HTTP logging, TLS logging, and some others can be very useful when inspecting an alert. There are also some new features in Suricata 2.0 like the eve-json logging stream to directly feed a SIEM. On balance, I believe Snort is easier to setup for a new user, but Suricata offers more features for an experienced user.
One last note on Suricata. I have the latest 2.0 release of the binary running on a pfSense VM. I created a PBI package that compiles and installs on 2.1.x of pfSense. The next step is to get all the new features of the 2.0 binary incorporated into the GUI. That's going to take a little while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
So you cannot f**cking live without a drama and that is scary thought as well!
If you cannot understand things do not make statements you do not even know what they mean.
-
How is with blocking?
-
So enlighten me Ermal ;)
Security is paramount! Performance is second…
I know you would kill the lesser equipped systems like Soekris and the Atom based boxes, but running Enterprise networks, its more or less irrelevant.
@ermal:
So the PFSense core team doesnt want true inline IPS….
Thats a scary thought!!!
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact, that mode is totally dependent upon the pfSense team making some edits within the pf and ipfw modules used on pfSense. I've had some e-mail conversations with them about that. To be honest, I don't sense a huge appetite for this feature from the team. The feedback I've gotten is the throughput will be low (topping out at maybe 50-70 megabits/sec). The analogy they suggested was to look at the performance of the current Layer 7 shaper. I've not tested the Layer 7 performance personally, so if someone else has, I would be interested in any throughput limits they may have noticed. Perhaps some input to the Core Team from other users would help sway the tide of opinion on inline mode… ;)
As for the Snort vs. Suricata thing: both appear to be quite good at what they do. Snort has the advantage for a newbie with its pre-defined IPS Policy settings. However, Suricata offers many more features for logging and subsequently viewing exactly what is traversing its sensors. The file capture feature, the HTTP logging, TLS logging, and some others can be very useful when inspecting an alert. There are also some new features in Suricata 2.0 like the eve-json logging stream to directly feed a SIEM. On balance, I believe Snort is easier to setup for a new user, but Suricata offers more features for an experienced user.
One last note on Suricata. I have the latest 2.0 release of the binary running on a pfSense VM. I created a PBI package that compiles and installs on 2.1.x of pfSense. The next step is to get all the new features of the 2.0 binary incorporated into the GUI. That's going to take a little while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
So you cannot f**cking live without a drama and that is scary thought as well!
If you cannot understand things do not make statements you do not even know what they mean.
-
So the PFSense core team doesnt want true inline IPS….
Thats a scary thought!!!
No, that's not what I meant to say at all. There is a concern for the impact that inline mode could have on network throughput, and I completely understand that concern. It does not mean it will never happen, it just means it's not a feature to just throw into the mix without some careful thought and planning. And of late I think all the effort has been put into getting pfSense onto the FreeBSD 10 code base and trying to stay more or less "current" going forward. What I was trying to say is that Suricata (or Snort) inline IPS mode is just lower on the radar for now. Another sticky point to figure out is just how do you detect and then handle a Suricata process "barfing" while in inline mode? At that point, ALL traffic through that interface just quits.
I have to depend on Ermal and the other Core Team guys to implement this mode because kernel-level programming is not my strong suite. I trust their judgment because they have much more experience with this area than I do.
Bill
-
So enlighten me Ermal ;)
Security is paramount! Performance is second…
Tan people like you say but this is not stable and its breaking my environment,
you people cannot make something usable just patch over patch.Don't be picky. it simple to bash about things but give it a second thought before posting.
I know you would kill the lesser equipped systems like Soekris and the Atom based boxes, but running Enterprise networks, its more or less irrelevant.
@ermal:
So the PFSense core team doesnt want true inline IPS….
Thats a scary thought!!!
Thanks again for all your hard work!
So basicly this is an alternative to Snort. When do you think Suricata Inline will be ready?
And what are the advantages between the Suricata vs Snort Packages now?Inline mode is going to be a while. In fact, that mode is totally dependent upon the pfSense team making some edits within the pf and ipfw modules used on pfSense. I've had some e-mail conversations with them about that. To be honest, I don't sense a huge appetite for this feature from the team. The feedback I've gotten is the throughput will be low (topping out at maybe 50-70 megabits/sec). The analogy they suggested was to look at the performance of the current Layer 7 shaper. I've not tested the Layer 7 performance personally, so if someone else has, I would be interested in any throughput limits they may have noticed. Perhaps some input to the Core Team from other users would help sway the tide of opinion on inline mode… ;)
As for the Snort vs. Suricata thing: both appear to be quite good at what they do. Snort has the advantage for a newbie with its pre-defined IPS Policy settings. However, Suricata offers many more features for logging and subsequently viewing exactly what is traversing its sensors. The file capture feature, the HTTP logging, TLS logging, and some others can be very useful when inspecting an alert. There are also some new features in Suricata 2.0 like the eve-json logging stream to directly feed a SIEM. On balance, I believe Snort is easier to setup for a new user, but Suricata offers more features for an experienced user.
One last note on Suricata. I have the latest 2.0 release of the binary running on a pfSense VM. I created a PBI package that compiles and installs on 2.1.x of pfSense. The next step is to get all the new features of the 2.0 binary incorporated into the GUI. That's going to take a little while, but look for Suricata 2.0 on pfSense in the relatively near future.
Bill
So you cannot f**cking live without a drama and that is scary thought as well!
If you cannot understand things do not make statements you do not even know what they mean.
-
It didnt really answer my question did it??? ;)
And Bill. But aside from the better log options in certain situations, then if Suricata is not inline, then why should we migrate from Snort?
Pfsense should have the inline IPS mode as a natural thing. Everything else would be unnatural for a firewall this capable. And if its just a matter of cores and memory, to get the performance needed, then I dont see issues rolling out inline IPS.
-
It didnt really answer my question did it??? ;)
Sure it did just you do not realize.
It is expected to function properly when its done.
Presently it will not for whatever combination you would like.
If you do not belive so please provide your implementation and convince otherwise.And Bill. But aside from the better log options in certain situations, then if Suricata is not inline, then why should we migrate from Snort?
Suricata has some nice features starting from a more modern architecture.
I would love to see Bro as well in the IPS garden since it has even some benefits for certain deployments.Pfsense should have the inline IPS mode as a natural thing. Everything else would be unnatural for a firewall this capable. And if its just a matter of cores and memory, to get the performance needed, then I dont see issues rolling out inline IPS.
Sure but step by step.
Or if you badly wanted budget after budget, no? :) -
I believe there is a lot of us wanting to get IPS inline and would be willing to contribute to a bounty getting it done.
Estimated budget for developing this feature Ermal?
-
Well it has to be done through the pfsense development not the bounty, because of time commitments and not clashing calendars.
-
Thanks Ermal,
It's great news to see that inline and BRO is on the pfSense Radar…
What would be missing is a logging software to tie all of these packages together (firewall logs, snort/suricata, Bro, Argus etc...)
Another great addition would a HIDS program called OSSEC, which I believe it almost completed by one of the users but he has unfortunately stalled in completing the x64 development portion.
I am using a IDS installation called Security Onion, which is installed behind my pfSense LAN interfaces which has all of these features and it works great. But having these features implemented also in pfSense would be a fantastic improvement in security.
Thanks for all your efforts thus far, we offer any help we can extend...
-
Thanks Ermal and Bmeeks for the explanations.
I agree that getting pfSense into the FreeBSD 10 codebase is much more important. -
We all want essentially the same things for IDS/IPS on pfSense. Once pfSense is in production on the FreeBSD 10 code base, some other options become available that may be the best way forward for IPS. These options are not in the current 8.x code base.
I also like the idea of having a small suite of IDS/IPS applications to choose from for pfSense. This would allow admins to select the one best suited for their particular network environment and needs. I can take a look at Bro in the future and see what it would take to create a package around it. That would bring three IDS/IPS tools to the pfSense world.
However, I would next like to find a tool that can quickly and rather easily grab all the logs and files (pcaps and extracted files) these tools can generate and push them to an external logging system (or a SIEM). I've looked at logstash, but it is Java based. Java apps on a firewall is a security travesty in my opinion :'(. If you have any suggestions, please send them my way. The preference is something that is already ported to FreeBSD.
Bill
-
There is one other point to throw into this IPS discussion– the DAQ module that is at the heart of the network "hook" in Snort can also work in an inline IPS mode with some configurations. For FreeBSD, it would need more or less the same setup as Suricata. So the upshot here is that it is quite possible that both Suricata and Snort could someday offer inline modes as an option.
As to Supermule's question of why anyone might prefer Suricata over Snort, it really comes down to personal preference for now (since both offer the same kind of blocking on pfSense). Suricata offers a few additional capture options for logging data around alerts, but in my view there is no tangible difference in offered protection between the two. The main goal in creating the Suricata package was just to offer a viable alternative to Snort. This gives admins choice.
Bill