Suricata 4.1.2_2 Bug Fix Update -- Release Notes

digdug3

@bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

bmeeks

@digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

@bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

Yes, it is just cosmetic; but I will get it fixed nonetheless. May wait a day or two to see if any other issues surface, and then put together a package update.

newUser2pfSense

Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

How many files and of what size are located in the interface's log directory? You will find all the logs in sub-directories (one per interface) under /var/log/suricata. I tested downloading a tarball gzip file of alerts during the last code update, but I don't recall if there were multiple alert files in the sub-directory at the time.

newUser2pfSense

I have Suricata pointed to only one interface at present. In the /var/log/suricata directory, there is a suricata_rules_update.log file that's 3.7 KB in size and one directory named suricatat_igb715464. In the suricatat_igb715464 directory, there is only one alerts.log file which is the name of the file in the downloaded tar.gz file that has a size of 242.8 KB. Interestingly, there is only one http.log file, multiple stats.log files, one suricata.log file, and two tls.log files.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

I have Suricata pointed to only one interface at present. In the /var/log/suricata directory, there is a suricata_rules_update.log file that's 3.7 KB in size and one directory named suricatat_igb715464. In the suricatat_igb715464 directory, there is only one alerts.log file which is the name of the file in the downloaded tar.gz file that has a size of 242.8 KB. Interestingly, there is only one http.log file, multiple stats.log files, one suricata.log file, and two tls.log files.

That all sounds fine. Your alerts log is 243 KB in size. What value is set on the LOGS MGMT tab for alerts? If it is less than 500 KB (which I think is the default, but I can't recall for sure), then everything is fine.

igb7 refers to your physical NIC and the number 15464 is a psuedo-random GUID generated by the Suricata GUI code to uniquely identify the interface.

newUser2pfSense

I get a boat load of alerts on the interface. The alerts are set to default as seen below. With only one file in the downloaded tar.gz file, I don't think it's fine at the moment. Before the update I would get a Suricata log about every 10 to 15 minutes at around 500 KB in size. There were hundreds and into the 14 day period, there were thousands.

bmeeks

@newuser2pfsense
What kind of traffic are you inspecting to generate that much in log data? Are you running this on as a ISP or some very large corporate network?

Are you missing alerts on the ALERTS tab itself? The alerts displayed on that tab come directly from reading the alerts.log file in the interface sub-directory. If you have a single file, and that file is below the 500 KB limit, then no log rotation is going to be triggered. If you had rotated logs, they should show up as alerts.log.timestamp where timestamp is the time of day when the log was rotated. Could the aging setting have recently cleared the directory?

newUser2pfSense

In the WAN Categories, I have 17 ET Open Rules checked and I have 23 Snort Text Rules checked. I'm just running a home network but I'm in a high density area where the bandwidth is shared. It's awful. I'm running Suricata in Inline IPS mode. The Alerts lists everything in red as far as I can see which means the rule is forced to drop. You are correct about the log rotation, however, it appears I'm getting the same number of alerts now as I have before upgrading but I'm not receiving the rotated logs at all where before upgrading I would get tons of rotated logs just as you showed with the timestamp. In the Logs Mgmt, I have check marked Remove Suricata Logs On Package Uninstall. When I initially upgraded before following your instructions, I only had one rotated log file which I thought was odd. When I followed your installation instructions, I don't even have one rotated log file. The directory was cleared as far as I can tell. Before I upgraded, I had so many rotated logs over a 14 day period that I had to write a Python program to concatenate and dedupe the rotated logs in order to see which particular rules were hitting my WAN. To give you an idea, I currently have 245 dropped rules.

bmeeks

@newuser2pfsense

Several comments:

1. When you check the box "Remove Suricata Logs on Package Uninstall", that means on each upgrade all of your Suricata log files are deleted (including any previously rotated ones). That box is unchecked by default for this reason. So when you did your upgrade to the latest version, all of your old log files were deleted.

2. With only 40 rules enabled I cannot imagine how you would get so many alerts to fill that many log files in your previous version. You have to be getting a ton of false positives and noise. Otherwise, you would not be able to get to anywhere from your network.

3. If you are a home user, then you should run Suricata on the LAN and not the WAN. By default, pfSense will drop all unsolicited traffic on the WAN already. Suricata does nothing to enhance security much on the WAN in a home network setup. It also means Suricata will see a bunch of garbage and log it all that your firewall is going to drop anyway.

4. Put Suricata on your LAN instead of your WAN for home networks.

newUser2pfSense

Thanks Bill. I've unchecked "Remove Suricata Logs on Package Uninstall". I'll point Suricata to my LAN and WLAN then. Thanks for the pointers.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Thanks Bill. I've unchecked "Remove Suricata Logs on Package Uninstall". I'll point Suricata to my LAN and WLAN then. Thanks for the pointers.

Another benefit of putting it there is that all the logged IP addresses for your internal hosts will be their actual addresses and not just the firewall's public WAN IP address. So when you need to track down a problem, the IP addresses in the logs will point to the actual internal host that generated the alert.

newUser2pfSense

That helps. I'll do some monitoring on my LAN and WLAN and see how it works out. It looks like there is another Suricata update newer than 4.1.2_1 but I'll wait until you say it's ok to update.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

That helps. I'll do some monitoring on my LAN and WLAN and see how it works out. It looks like there is another Suricata update newer than 4.1.2_1 but I'll wait until you say it's ok to update.

The 4.1.2_2 update has an important fix for SID MGMT. If you don't use SID MGMT, then nothing new in 4.1.2_2 for you. If you do use SID MGMT, then you want that update to fix some issues with automatic SID management.

Now that you have that "Remove Logs" box unchecked, your log files will be left untouched when you update the package.

newUser2pfSense

Thanks for the info Bill. I appreciate your help and guidance.