Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata v4.1.2_1 -- Package Update Release Notes

    Scheduled Pinned Locked Moved
    IDS/IPS
    4
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Suricata v4.1.2_1
      This update to the Suricata GUI package provides support for the new Suricata v4.1.2 binary. Three bug fixes, four new features and three functionality changes are included in this release. This update is initially only available in the latest DEV branch of pfSense. It will be migrated to the RELEASE branch of pfSense in the near future.

      Important Update Notice: read this before upgrading!

      • When installing this update, you should first remove the Suricata package and then install it again. This is to work around some PHP file caching issues. If you simply do a "re-install" by clicking the GUI's Re-install icon, Suricata will likely fail to automatically start after the upgrade.

      • Be sure you read the information below regarding the changes with the inclusion of Rust language support in the Suricata 4.1.x family.

      • Rust is not currently supported on ARMv6 architectures such as the Netgate SG-3100 appliance or on appliances based on AARCH64 architectures. For now Rust support is not enabled in the package for ARMv6-based or AARCH64-based appliances. This means any new features mentioned below that depend on Rust support are NOT available on ARMv6-based or AARCH64-based hardware. The package installer will automatically detect the target platform's architecture (armv6, aarch64 or amd64) and install the appropriate PHP source files.

      • Features not supported by the underlying hardware architecture will be automatically removed from the package and will not appear in the GUI.

      New Features

      • Added configuration option for Runmode on INTERFACE SETTINGS tab. Default value is "AutoFP".

      • Added support for new protocols krb5, IKEv2, nfs, tftp, ntp and dhcp on APP PARSERS tab. (not currently available on ARMv6-based or AARCH64-based hardware)

      • Added new configurable options for SMTP, TLS and DNS parser on APP PARSERS tab. (not all are available on ARMv6-based or AARCH64-based hardware)

      • Added/updated EVE JSON logging options on INTERFACE SETTINGS tab to reflect new protocols available with Rust support in Suricata 4.1.x. (not all are available on ARMV6-based or AARCH64-based hardware)

      Changes in v4.1.2_1

      • The legacy DNS log has been deprecated in Suricata 4.1.x with the introduction of Rust support. As a result, the selection of a separate DNS log has been removed and the DNS log size limit parameters on the LOGS MGMT tab have been removed. (not applicable to ARMv6-based or AARCH64-based hardware)

      • Suricata 4.1.x stores downloaded rule signature files in a new location. The RULES inventory directory is now /usr/local/share/suricata/rules. It was formerly /usr/local/etc/suricata/rules.

      • MaxMind, the creator and maintainer for the GeoIP database used by the "geoip" rule option in Suricata has discontinued their legacy GeoIP database. This version of Suricata is now modified to use the new GeoLite2 database format from MaxMind. A new database version will automatically be downloaded and installed with the Suricata package in /usr/local/share/suricata/GeoLite2/. A cron task is created that checks for an updated database at 6:00 AM each day. A new file is downloaded only when the local database copy is either missing or is older than the posted version on the MaxMind download site.

      Bug Fixes

      • Redmine bug #9188. Log rotation code not sending SIGHUP to Suricata process after rotating/truncating log files. This is allowing some log files to grow to extreme size.

      • Auto-Flowbits rules not correctly displayed on the RULES tab when selected.

      • Emerging Threats Pro IQRisk IP reputation files frequently fail to download when enabled with an IQRisk license code.

      1 Reply Last reply Reply Quote 2
      • M
        mcury
        last edited by

        So, ARMv6 architectures such as the Netgate SG-3100 appliance, if I understood correctly, users with this architecture lost some features with this update, right?

        dead on arrival, nowhere to be found.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @mcury
          last edited by bmeeks

          @mcury said in Suricata v4.1.2_1 -- Package Update Release Notes:

          So, ARMv6 architectures such as the Netgate SG-3100 appliance, if I understood correctly, users with this architecture lost some features with this update, right?

          Sort of. SG-3100 users do not "lose" any features from what is currently in the 4.0.6 release, but they do lose the "new" features such as five new app-layer protocol analyzers that are part of 4.1.2. This is because all new feature development in the Suricata binary is being done in the Rust programming language, and there is not currently a Rust variant available for ARM and aarch64 hardware. I believe the FreeBSD developers are working on fixing that in the near future.

          1 Reply Last reply Reply Quote 1
          • N
            NRgia
            last edited by

            @bmeeks Thank you, for the release notes, and for Suricata package support

            1 Reply Last reply Reply Quote 0
            • S
              Sparklan
              last edited by

              Just got a new SG-3100 on the newest pfSense release. Suricata is flooding the logs with "SURICATA PPP unsupported protocol" and "SURICATA PPP wrong type". Support said to disable rules causing this, but how do I know what rules to disable? Also, doesn't disabling rules reduce the effectiveness of Suricata? Or is it better to just load an older version of pfSense on it until ARM is properly supported?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Sparklan
                last edited by bmeeks

                @sparklan said in Suricata v4.1.2_1 -- Package Update Release Notes:

                Just got a new SG-3100 on the newest pfSense release. Suricata is flooding the logs with "SURICATA PPP unsupported protocol" and "SURICATA PPP wrong type". Support said to disable rules causing this, but how do I know what rules to disable? Also, doesn't disabling rules reduce the effectiveness of Suricata? Or is it better to just load an older version of pfSense on it until ARM is properly supported?

                Suricata has always been a bit picky about PPPoE in FreeBSD (which I assume is what maybe your WAN connection is using). For a long time it did not work at all, then the Suricata folks made a few changes that helped. However, a recent FreeBSD change seems to have disrupted PPPoE in some some way. With the release of pfSense 2.4.4, there were several posts from users of PPPoE connections that started giving problems. I suspect that is your underlying issue with Suricata and the latest pfSense (which is a newer FreeBSD variant).

                I doubt rules are causing this. It is likely a protocol decoder problem. You can, nevertheless, try to identify and disable the offending rule by SID. Look in the alert log and find the SID, then go to the RULES tab and load the "decoder-events.rules" file and find the corresponding SID and force it to disabled. Save the change and restart Suricata.

                You can also try rolling back to Suricata 4.0.13_11. To do that, you will need to remove the current Suricata package and install the older one manually from the command line using the pkg utility.

                Another solution might be to abandon Suricata and try Snort instead.

                S 1 Reply Last reply Reply Quote 0
                • S
                  Sparklan @bmeeks
                  last edited by

                  @bmeeks

                  Thanks. I have an old customer connection that still uses PPPoE which will hopefully be gone soon. I disabled the rules, and it is no longer flooding my syslog server. Everything else seems to be working as it should.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post