Suricata v4.0.4_1 Release Notes (GUI package update)



  • Suricata v4.0.4_1 Update

    An update for the Suricata GUI package is available.  This update contains two new features.

    New Features

    • The ability to utilize user-supplied custom URLs for downloading rules updates has been added to the GLOBAL SETTINGS tab.  For each of the four rules package choices (1) Emerging Threats, (2) Emerging Threats Pro, (3) Snort Subscriber and (4) Snort Community GPLv2; there is now an optional checkbox to enable input of a user-supplied URL for the rules download.  This URL will be used for downloading updates to that rules package instead of the built-in default.

      There are two important considerations when using the custom URL.  First, you must provide the complete URL all the way out to the filename.  Second, the internal code in Suricata will assume that an MD5 checksum file exists with the same filename and in the same path specified in the URL.  For example, if your custom URL is "http://myserver.com/myrules/myfile.tar.gz", then there must also exist this file and path:  "http://myserver.com/myrules/myfile.tar.gz.md5".  The MD5 file must contain a valid and current md5 checksum of the rules archive.  Finally, user-supplied rules archive files must have the identical internal format (directory names and subdirectory names) as the vendor's archive files!

      This new feature will be of no practical benefit to users that run Suricata on a home network.  You should continue to let Suricata fetch rules using the default internal URLs which point directly to the rules publishers' sites if you run Suricata on a home network.  The ability to use custom URLs will benefit corporate users and other applications where a number of pfSense firewalls running Suricata are on internal networks and it is desirable for them to fetch rules from a central internal server.  This new option will also allow admins to package their own custom rules and insert them into a vendor's rule archive and then distribute the custom package to all of their internal Suricata installations.  Just remember that if you add custom rules to a vendor archive you must maintain the internal file structure!

    • On the SID MGMT tab there is now the option of using a rejectsid.conf configuration to automatically change matching rules to the REJECT action.  This option is only relevant when using Inline IPS operation in blocking mode.  There is no capability to do an actual "reject" action when using Legacy Mode blocking.  When an interface is not configured for Inline IPS Mode blocking operation, the selector on that interface for choosing a rejectsid.conf selection will be hidden.  For example, in the images attached at the end of this post notice that for the WAN interface both the dropsid and rejectsid selectors are hidden.  This is because that interface is configured for Legacy Mode blocking and the block-on-drops-only option is disabled.  Thus neither REJECT nor DROP actions apply for the interface.  The LAN interface shown in the image is configured for Inline IPS blocking mode, so both the dropsid and rejectsid selectors are displayed.

    This same logic of hiding controls that are not applicable in a given IDS/IPS mode is used elsewhere in the GUI.

    Bill
    ![Custom Rule Download URLs.png](/public/imported_attachments/1/Custom Rule Download URLs.png)
    ![Custom Rule Download URLs.png_thumb](/public/imported_attachments/1/Custom Rule Download URLs.png_thumb)
    ![SID MGMT - rejectsid.png](/public/imported_attachments/1/SID MGMT - rejectsid.png)
    ![SID MGMT - rejectsid.png_thumb](/public/imported_attachments/1/SID MGMT - rejectsid.png_thumb)



  • Wow lots of updates in recent weeks very cool gives me something to tinker with over easter



  • Uh Oh SpaghettiOs after updating Suricata was listed in package manger as installed but nowhere to be found in services I rebooted then ran reinstall to fix

    PC engines APU2 C4
    Pfsense 2.4.3



  • @bmeeks Thanks for the update, and also for implementing the Reject.sid for LAN side.

    The only thing that i noticed, is that no rejectionsid.conf sample will be added by default in SID Management Configuration Lists, after updating or reinstalling.

    It's not a problem because a manual add did the trick.



  • @NRgia:

    @bmeeks Thanks for the update, and also for implementing the Reject.sid for LAN side.

    The only thing that i noticed, is that no rejectionsid.conf sample will be added by default in SID Management Configuration Lists, after updating or reinstalling.

    It's not a problem because a manual add did the trick.

    Oops!  I did forget to add a sample file for rejectsid, but it's exactly like dropsid.  But those files really are just meant to be examples.  I never intended for users to actually edit and use those files keeping the same name.  The sample files get overwritten with each update anyway.  I will include a sample file for rejectsid.conf in a later update.  My next project for a bit is to port the applicable recent changes in Suricata over to Snort.

    Bill



  • No worries, thanks