Suricata v4.0.3_2 – Release Notes

  • Suricata GUI Package Update v4.0.3_2

    This update for the Suricata GUI package contains 2 bug fixes and 7 new features. The underlying binary is unchanged and remains at version 4.0.3.

    This update includes changes in a key include file ( used throughout the Suricata GUI package code.  PHP caches code files accessed during a given session in order to improve performance.  Unfortunately, this caching can become an issue if a code file is updated during the session.  PHP will not recognize the change in the file's content.  If you simply use the Update or Reinstall icon on the Package Manager tab in pfSense, then the Suricata package update process will run within the same PHP session and an older cached copy of the file will be used at the end of the reinstallation process when rebuilding the Suricata configuration file instead of the new copy of the file contained in the package update.

    To prevent installation issues from PHP file caching, it is recommended that for this update you completey remove the Suricta package and then install it again.  You won't lose your configuration information.  Just be sure the "Save Settings" checkbox is checked on the GLOBAL SETTINGS tab before performing the update.  Next, go to the SYSTEM > PACKAGE MANAGER menu in pfSense and remove or delete the Suricata package on the Installed Packages tab.  After Suricata is removed, move over to the Available Packages tab and search for and install the Suricata package again.  This will bypass any PHP file caching problems.

    New Features:

    • The configuration files associated with automatic SID managment via the SID MGMT tab are deprecated in favor of storing the automatic SID management directives directly in the firewall's configuration file, config.xml. During the installation of the new package, the content of all files found in the /var/db/suricata/sidmods directory will be migrated into a list array stored in the firewall configuration file. The new list names are taken from the filenames read from the directory. Storing the automatic SID managment directives content as Base64-encoded data within the firewall configuration ensures that the automatic SID management configuration is backed up and restored along with the rest of the firewall configuration. The ability to upload and download the SID configuration data is retained, but instead of being stored as physical files on the firewall the configuration is written to config.xml.

    • On the CATEGORIES tab, hyperlinks are now provided for opening and viewing the content of all rules categories irregardless of whether the category is enabled or not. Formerly, only "checked" (or enabled) categories could have their contents viewed in a separate window.

    • On the INTERFACE SETTINGS tab a new configurable parameter for snaplen has been added. The default value for the new parameter is 1518 bytes. Increasing the value of this parameter can be helpful if Suricata is failing to alert on VLAN traffic. Note that due to a limitation in the Suricata binary, this value is only applicable to Legacy Mode operation. It has no effect when using Inline IPS Mode.

    • More options are now available to the user for rule action overrides on the RULES and ALERTS tabs. Rules can be forced to ALERT, DROP or REJECT depending on the IPS operational mode of the interface. REJECT is only available when using Inline IPS Mode. Actions are hidden when they are not applicable to the current operational mode. There is also a new option of "Default" for the action. Selecting "Default" removes all user overrides and returns the rule action to the vendor's original value. This is generally "Alert".

    • A series of new choices are availalbe in the Categories drop-down selector on the RULES tab. The new selections are filtered according to the specific operational mode of the interface. The new selections allow the user to select special filtered views as follows: "Active Rules", "User-Forced Enabled Rules", "User-Forced Disabled Rules", "User-Forced Alert Rules", "User-Forced Drop Rules" and "User-Forced Reject Rules". Display of "User-Forced Reject Rules" is only possible when using Inline IPS Mode with blocking enabled. Display of "User-Forced Drop Rules" requires the interface be using Inline IPS Mode or Legacy Mode with Block-on-Drops-Only enabled.

    • A third rule state option of "Default" has been added to the RULES tab when displaying user override options. Choosing "Default" for the rule state will remove all user overrides and return the rule's state (enabled or disabled) to the vendor's original value.

    • Add the ability to customize rule actions on the ALERTS tab. See feature 4 above for details. An additional icon is displayed in the GID:SID column for each alert that allows user overrides of the action. When a rule action has been overridden, a special icon is shown to flag the new action. Pop up tooltips explain the icons.  The specific action choices available when the modal dialog opens are determined by the current operational mode of Suricata for that interface.  If using only IDS mode, then no action override is available.  If using Legacy Mode blocking, then REJECT mode is not available.  If using Legacy Mode, but "drop-on-blocks-only" is not enabled, then the DROP and REJECT choices are unavailable.

    Bug Fixes:

    • The default pass list generated during Inline IPS Mode operation was too broad. Pass Lists really have very limited usefulness with Inline IPS Mode and so the ability to select a pass list when using Inline IPS Mode has been removed. If you require pass list functionality with Inline IPS Mode, create your own custom PASS rules instead on the RULES tab. Note that pass list functionality is unchanged when using Legacy Mode operation.

    • The new dynamic service status icons on the INTERFACES tab would sometimes not correctly indicate the Suricata service status. There was also an error in a control name for the icons associated with Barnyard2 on the INTERFACES tab.

    ![New Category Selections on RULES tab.png](/public/imported_attachments/1/New Category Selections on RULES tab.png)
    ![New Category Selections on RULES tab.png_thumb](/public/imported_attachments/1/New Category Selections on RULES tab.png_thumb)
    ![ALERTS tab Action Override Edit Icon.png](/public/imported_attachments/1/ALERTS tab Action Override Edit Icon.png)
    ![ALERTS tab Action Override Edit Icon.png_thumb](/public/imported_attachments/1/ALERTS tab Action Override Edit Icon.png_thumb)
    ![Action Selection Modal.png](/public/imported_attachments/1/Action Selection Modal.png)
    ![Action Selection Modal.png_thumb](/public/imported_attachments/1/Action Selection Modal.png_thumb)

  • Thanks Bill. Do the same installation instructions apply to the 4.0.4 update released today? I guess a better question would be, do those instructions only apply to 4.0.3_2 or is it generally advisable to do a complete uninstall/reinstall? I can do so anyway for good measures since it doesn't take much time, but I'm just curious about best practices and understanding why.


  • @Raffi.:

    Thanks Bill. Do the same installation instructions apply to the 4.0.4 update released today? I guess a better question would be, do those instructions only apply to 4.0.3_2 or is it generally advisable to do a complete uninstall/reinstall? I can do so anyway for good measures since it doesn't take much time, but I'm just curious about best practices and understanding why.


    No, the update released today was for the binary only.  The pfSense team went ahead and pulled in the 4.0.4 binary update. I'm working a small update for the GUI, but it's not ready yet.  Will be adding the capability to use custom URLs for rule archive downloads and the ability to use a rejectsid.conf configuration when using Inline IPS mode.

    That being said, it's not a bad idea to generally follow the "remove and then re-install" process.  By having "save settings" checked, you don't lose any configuration info.  I do make it point, though, of pointing out in the release notes when "remove and re-install" is necessary.  So if you don't see it specifically called out in the release notes, then you can consider it optional.