Suricata 5.0 buzzing on Twitter
-
So, Suricata 5.0 is out today touting lots of new features...wondering when it will make it to pfSense!
pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud. -
@NollipfSense said in Suricata 5.0 buzzing on Twitter:
So, Suricata 5.0 is out today touting lots of new features...wondering when it will make it to pfSense!
Generally not until the FreeBSD Ports maintainer updates it over there. pfSense likes to follow the general FreeBSD Ports versions for packages. You can keep tabs on the current version here: https://svnweb.freebsd.org/ports/head/security/suricata/.
There is one potential issue with Suricata 5.0.0 and Netgate ARM-based appliances. The version 5.x branch of Suricata now has Rust support as mandatory. In the past, the Rust language failed to build in the package builder environment used to produce packages for the ARM-based appliances such as the SG-3100. Not sure if that is fixed yet or not. I will check. Right now the Suricata package detects when it is installed on ARM hardware and disables features requiring the Rust language. That will not be possible in version 5.0.0 of Suricata.
-
@NollipfSense said in Suricata 5.0 buzzing on Twitter:
So, Suricata 5.0 is out today touting lots of new features...wondering when it will make it to pfSense!
Also from the Fresh Ports site: https://www.freshports.org/security/suricata5/ we can see that the maintainer only published a Release Candidate. We can check from time to time to see when the stable version will be available.
-
Still discussing the various options with the pfSense team, but it appears now the likely future course for Suricata on pfSense looks like this:
-
For Netgate ARM 32-bit appliances (SG-1000 and SG-3100) Suricata will likely be frozen at the current 4.1.5 binary version with no future updates forthcoming.
-
For 64-bit Intel and ARM appliances (SG-1100) and other user hardware installations, Suricata will migrate soon to the new 5.0.x stable release.
The Suricata upstream team decided to rewrite major portions of Suricata in Rust a while back. For the 4.1.x branch they left Rust inclusion optional and only used Rust when implementing a handful of new features. So if you did not have a Rust environment you could simply disable within the
suricata.yamlconfiguration those new features that needed Rust. That's what we did on pfSense for the 32-bit ARM hardware.Starting with the new version 5.0 branch of Suricata they made Rust mandatory; so if you don't have, and can't create, a Rust environment in your package builder, you can no longer successfully compile the latest Suricata 5.x branch. The 32-bit ARM packages are created using a cross-compilation environment that does not support Rust. Thus it is not possible to build Suricata 5.x packages for 32-bit ARM pfSense hardware.
Personally I am really disappointed with the Suricata team's choice to pursue Rust. I'm just not a fan of that language or any other similar concept. In my personal opinion it's just another fad like a lot of other "greatest thing since sliced bread" languages that have made a brief splash and then disappeared. Think Java, Ruby, and everything else in a similar vein. Yeah, I get these languages all have some claim of highly useful or innovative features, but they suffer from the same "bloat disease" in that it takes a ton of extra code to compile the new language and usually a bunch of dependencies get pulled in as well. So you wind up with what is frequently a disjointed mess where changing the version of one little supporting code library breaks the whole project.
-
-
Will we have to wait til 2.5 to see Suricata 5.0?
-
@NollipfSense said in Suricata 5.0 buzzing on Twitter:
Will we have to wait til 2.5 to see Suricata 5.0?
Don't know yet. Depends on the versions of dependent libraries required. I have not yet tried compiling Suricata 5 in my test system.
-
As an update to @bmeeks and @NollipfSense . As I can see here: https://www.freshports.org/security/suricata/ - version 5.0.0 is available now.
Thanks
-
Look for Suricata 5.0.0 on pfSense in the near future. Working now on the package. Good news is the new binary compiles just fine for AMD64 hardware with the custom blocking plugin used on pfSense.
The small snag I'm working through is how to separate out and support two Suricata binary versions (4.1.5 for the 32-bit ARM hardware and 5.0.0 for AMD64 hardware). Working with the pfSense team to get that sorted out.
-
@bmeeks Thank you, for the great news and your dedication.
-
Here is an update for this thread on Suricata 5.0 --
I've been keeping an eye on the Suricata Redmine bug site, and there are a few fairly significant apparent bugs in Suricata 5.0.0 that are being worked. Some are already fixed, and it looks like a Suricata 5.0.1 release is coming out soon. Therefore I decided to slow down on deploying Suricata 5.0 to pfSense. I will wait until at least Suricata 5.0.1 has been out a little while to be sure the more onerous bugs are fixed.
-
@bmeeks
Giving the fact that there are some big changes in version 5.0 , it's better to be safe than sorry.Going through the release notes, I read that Netmap support has been rewritten...but they don't say what benefits this new code will bring.
Also do you think it's best to wait for FreeBsd 12, (pfSense 2.5.0) maybe the new release will also bring more compatibility with the new Netmap code?
What do you think?
Thank you -
@NRgia said in Suricata 5.0 buzzing on Twitter:
@bmeeks
Giving the fact that there are some big changes in version 5.0 , it's better to be safe than sorry.Going through the release notes, I read that Netmap support has been rewritten...but they don't say what benefits this new code will bring.
Also do you think it's best to wait for FreeBsd 12, (pfSense 2.5.0) maybe the new release will also bring more compatibility with the new Netmap code?
What do you think?
Thank youThe Netmap interface of Suricata was rewritten by Victor Julien (the Suricata lead developer) to use the newer Netmap API library calls. I don't know what impact that will have on Suricata operation with Netmap overall as compared to the current code. Might help some, but most of the heavy lifting for Netmap is the FreeBSD kernel module. I have not tracked FreeBSD 12 work in that area. Have any netmap-related changes been made in the FreeBSD kernel?
-
@bmeeks said in Suricata 5.0 buzzing on Twitter:
@NRgia said in Suricata 5.0 buzzing on Twitter:
@bmeeks
Giving the fact that there are some big changes in version 5.0 , it's better to be safe than sorry.Going through the release notes, I read that Netmap support has been rewritten...but they don't say what benefits this new code will bring.
Also do you think it's best to wait for FreeBsd 12, (pfSense 2.5.0) maybe the new release will also bring more compatibility with the new Netmap code?
What do you think?
Thank youThe Netmap interface of Suricata was rewritten by Victor Julien (the Suricata lead developer) to use the newer Netmap API library calls. I don't know what impact that will have on Suricata operation with Netmap overall as compared to the current code. Might help some, but most of the heavy lifting for Netmap is the FreeBSD kernel module. I have not tracked FreeBSD 12 work in that area. Have any netmap-related changes been made in the FreeBSD kernel?
I didn't saw anything in the release notes regarding Netmap. It was more like a question.
-
