Suricata 6.0.0 - After updating from 5.0.3 to 6.0.0, the interfaces will not pass any traffic
-
Can you downgrade to 2.4.5p1 and test again?? Then we will have a clue if its FreeBSD or Suricata related.
-
@Cool_Corona It worked on FreeBSD 12.2 also, because I am on 2.5.0-snapshots for a long time. All I did was updating the snapshot last night, and Suricata package from 5.0.3 to 6.0.0.
Suricata 6.0.0 is not available to 2.4.5p1, it's available only for development 2.5.0 version.What I need is to be able to have 2 versions of Suricata in pfSense repo, just like in FreeBSD, for testing purposes, and be able to revert, not to reinstall the whole system.
I saw in FreeBSD with Unifi packages
You can install unifi-controller5 or unifi-controller6 -
The Suricata GUI package, unlike Snort, is not necessarily tied to specific binary versions. There is a vast difference in Suricata as used on Netagate ARM hardware versus AMD64/Intel hardware, so you can't mix versions there as Suricata versions newer than 4.x will not work at all on ARM hardware.
I warned in the Release Notes that there may be issues with Suricata-6.0.0. I tested on my VMware virtual machines using the e1000 virtual NIC which uses the em driver. It worked for me there.
The whole netmap device thing is turning into a small disaster (IMHO) in FreeBSD due to the recent changes to the NIC driver subsystem via the iflib wrapper. I know that some diehard FreeBSD fans may disagree with me, but there are several reported issues with throughput and even basic stability with regards to the netmap device and different hardware.
I will say it again to be sure everyone understands. This is not necessarily problems within Suricata or Snort. All these programs do is open the kernel netmap device via API calls and then attempt to use it via the published interface. The issue is there are multiple API versions that differ in different FreeBSD versions. And the different API versions of the netmap interface are not all backwards compatible. Netmap initially sounded like a great thing, but it has disappointed me greatly both in terms of reliability and performance.
-
@bmeeks I didn't say you did not post a warning, I'm happy to test when it comes to Suricata, but when something happens, I must be able to work around that situation, in order to be able to test again later on.
My hint was to have 2 versions, in order to be able to revert back. Thank you for providing the solution.
Regarding Netmap, FreeBSD and Suricata we've discussed the situation in other topics like the following:
https://forum.netgate.com/topic/144979/porting-bge-driver-to-iflib/21?_=1604173006203https://forum.netgate.com/topic/154014/netmap-not-supported-for-intel-x553-driver-in-pfsense-2-5-0/16?_=1604173006206
We've tested something together also, so I understand the situation.
I also prefer Linux, and I think slowly some of the die hard supporters of FreeBSD like IXsystems ( please see TrueNas Scale), Netgate (TNSR) will ditch FreeBSD.
But until then I will try to report my findings, maybe I can prevent others from hitting the same issues as I.
Before reverting, can I test something else, to get to the root cause?
Thank you
-
@NRgia said in Suricata 6.0.0 - After updating from 5.0.3 to 6.0.0, the interfaces will not pass any traffic:
@bmeeks I didn't say you did not post a warning, I'm happy to test when it comes to Suricata, but when something happens, I must be able to work around that situation, in order to be able to test again later on.
My hint was to have 2 versions, in order to be able to revert back. Thank you for providing the solution.
Regarding Netmap, FreeBSD and Suricata we've discussed the situation in other topics like the following:
https://forum.netgate.com/topic/144979/porting-bge-driver-to-iflib/21?_=1604173006203https://forum.netgate.com/topic/154014/netmap-not-supported-for-intel-x553-driver-in-pfsense-2-5-0/16?_=1604173006206
We've tested something together also, so I understand the situation.
I also prefer Linux, and I think slowly some of the die hard supporters of FreeBSD like IXsystems ( please see TrueNas Scale), Netgate (TNSR) will ditch FreeBSD.
But until then I will try to report my findings, maybe I can prevent other from hitting the same issues as I.
Before reverting, can I test something else, to get to the root cause?
Thank you
I was not targeting you with my reply about the "warning" -- just repeating for others that may read this thread.
The way
pkgworks on FreeBSD makes it impossible to have two packages with the same name but different versions. It would be possible to have a Suricata package with a different name (say Suricata6 instead of Suricata, for instance). But that also has a downside because you have to include extra complexity to letpkgknow what other versions can't coexist.Honestly I have not yet identified what may be different in Suricata 6.0.0 versus 5.0.3 in terms of the netmap module. A quick look earlier today turned up no differences. If one version works but the other does not, then obviously something changed in the binary. As I keep saying, I do absolutely nothing to the upstream Suricata binary code when it comes to netmap. No changes or patches at all. Been that way from the beginning, too (for netmap and Inline IPS Mode).
I don't know what else you can test.
-
@bmeeks Ok, then I will roll back to 5.0.3
Thanks again -
@NRgia said in Suricata 6.0.0 - After updating from 5.0.3 to 6.0.0, the interfaces will not pass any traffic:
@bmeeks Ok, then I will roll back to 5.0.3
Thanks againYou can use the 5.0.3 binary with the 6.0.0 GUI code with no issues at all. Snort does not work that way, but Suricata can.
-
Another user has reported a different fairly severe issue with Suricata-6.0.0. The problems are within the binary and not the PHP GUI code. The binary will stop generating alerts after a period of time. The only way to get alerts after that is to restart Suricata.
There is also an issue with shutdowns. It can take forever for a Suricata binary process to shutdown.
I am most likely going to ask the pfSense team to pull the 6.0.0 binary package down and revert the binary to 5.0.3. There are bug reports on Suricata Redmine about the "no alerts" issue plus some others. IMHO it appears some recent changes upstream have not gone well.
-
@bmeeks Just as a followup
I've compiled Suricata 5.0.4 myself, using your hints.
I can confirm that all the interfaces are passing traffic, and I see Drops in the Alerts tab.
I have tested both in Inline and Legacy mode. Until now all is good.Thanks again Bill for your time
-
An updated Suricata package has now been posted that officially reverts the Suricata binary to the 5.0.4 version from 6.0.0. The new GUI package is Suricata-6.0.0_1.
