Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 4.1.2_2 Bug Fix Update -- Release Notes

    Scheduled Pinned Locked Moved IDS/IPS
    30 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Suricata 4.1.2_2 Package Update

      This update for the pfSense package of Suricata corrects one bug. There are no new features nor feature changes in this release.

      Important: refer to the instructions for the Suricata 4.1.2_1 package update here for details on how to install this upgrade!

      New Features:

      None

      Bug Fixes:

      • SID MGMT changes not being applied to rules due to incorrect legacy RULES_DIR path being used.
      D 1 Reply Last reply Reply Quote 0
      • D
        digdug3 @bmeeks
        last edited by digdug3

        @bmeeks : Found another (small) bug:
        Interfaces -> Edit interface -> Categories:
        Ruleset: Snort GPLv2 Community Rules is displayed as:
        {$msg_community}

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @digdug3
          last edited by bmeeks

          @digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

          @bmeeks : Found another (small) bug:
          Interfaces -> Edit interface -> Categories:
          Ruleset: Snort GPLv2 Community Rules is displayed as:
          {$msg_community}

          I'm not seeing this in my test virtual machine. Here is a screenshot of that part of the CATEGORIES tab showing the Snort GPLv2 Community Rules --

          0_1547488449994_SnortCommunityRules.png

          1 Reply Last reply Reply Quote 0
          • D
            digdug3
            last edited by

            Ok, let me just wait until the release has been approved.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @digdug3
              last edited by

              @digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

              Ok, let me just wait until the release has been approved.

              There are no changes in that section of the code in the 4.1.2_2 release as compared to the 4.1.2_1 release. So the issue, if present for you, should also be in the 4.1.2_1 package version.

              D 1 Reply Last reply Reply Quote 0
              • N
                newUser2pfSense
                last edited by

                I'm also receiving an error message in the WAN Rules of Suricata 4.1.2_1:

                The following input errors were detected:
                app-layer-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.

                I've forced an update and still get the message. Not sure why.

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @newUser2pfSense
                  last edited by

                  @newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                  I'm also receiving an error message in the WAN Rules of Suricata 4.1.2_1:

                  The following input errors were detected:
                  app-layer-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.

                  I've forced an update and still get the message. Not sure why.

                  Check the directory /usr/local/share/suricata/rules for that file. It should be there, especially on AMD64 builds. Do you by chance have an SG-3100 appliance or some other non-Intel based CPU box?

                  1 Reply Last reply Reply Quote 0
                  • N
                    newUser2pfSense
                    last edited by

                    Hi Bill...I checked the directory you listed and it's not there. I have a custom home built Intel based computer I'm using for pfSense.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @newUser2pfSense
                      last edited by

                      @newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                      Hi Bill...I checked the directory you listed and it's not there. I have a custom home built Intel based computer I'm using for pfSense.

                      Let's try a totally clean install of Suricata.

                      1. Be sure "save settings" is checked on the GLOBAL SETTINGS tab.

                      2. Next, go to SYSTEM > PACKAGE MANAGER Installed Packages and delete the package from the firewall.

                      3. When the removal process completes, open a firewall CLI session (shell prompt) and search for any of the following directories:
                        /usr/local/pkg/suricata
                        /usr/local/etc/suricata
                        /usr/local/www/suricata
                        /usr/local/share/suricata

                      4. Remove any directories and their content you see from the list above with this command:

                      rm -rf /usr/local/xxx/suricata
                      

                      (where xxx is replaced by the directory name from the list above)

                      1. Return to the SYSTEM > PACKAGE MANAGER page and install Suricata again from the Available Packages tab. Wait for the process to fully complete before leaving the page!

                      Report back the results and/or any error messages if it does not work then.

                      1 Reply Last reply Reply Quote 1
                      • N
                        newUser2pfSense
                        last edited by

                        Bill...I followed your instructions. It looks like I'm back in business. Thanks for your support!

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @newUser2pfSense
                          last edited by

                          @newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                          Bill...I followed your instructions. It looks like I'm back in business. Thanks for your support!

                          How did you install the package upgrade originally? Did you follow the instructions to completely remove Suricata and then install it again, or did you just click the package re-install icon?

                          1 Reply Last reply Reply Quote 0
                          • N
                            newUser2pfSense
                            last edited by

                            I actually just clicked the package re-install icon. I guess from now on I'll use your instructions before upgrading to the newest version.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @newUser2pfSense
                              last edited by

                              @newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                              I actually just clicked the package re-install icon. I guess from now on I'll use your instructions before upgrading to the newest version.

                              For this update, following the instructions was crucial because some PHP files had to be updated that pfSense will "cache". Thus clicking the "reinstall" icon will cause pfSense to use the "old" cached versions of these critical files. This causes some of the new settings that are required to be updated to get missed. Removing the package dumps the PHP cache, so during installation the new properly updated files get executed and those files will update your saved configuration.

                              In your case, by not dumping the package first, those cached files were reused during some of the installation and critical parts of your saved configuration did not get updated.

                              1 Reply Last reply Reply Quote 0
                              • D
                                digdug3 @bmeeks
                                last edited by digdug3

                                @bmeeks Just got the update, installed it:
                                (0_1547652538466_Clipboard01.png
                                This is on FireFox 64.0.2 (64bit).

                                bmeeksB 1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks @digdug3
                                  last edited by bmeeks

                                  @digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                                  @bmeeks Just got the update, installed it:
                                  (0_1547652538466_Clipboard01.png
                                  This is on FireFox 64.0.2 (64bit).

                                  Hmm...might be an artifact (syntax problem, really) that results from the rule category being managed by SID MGMT. I will test that and post a fix. There are some tests in the logic for various conditions and an appropriate message is loaded into that variable based on the tests. The code is supposed to display the contents of the variable instead of its name, so I will need to see where I screwed up the syntax. Probably missed a quotation mark someplace ... ☹ .

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    digdug3 @bmeeks
                                    last edited by

                                    @bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

                                    bmeeksB 1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks @digdug3
                                      last edited by

                                      @digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                                      @bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

                                      Yes, it is just cosmetic; but I will get it fixed nonetheless. May wait a day or two to see if any other issues surface, and then put together a package update.

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        newUser2pfSense
                                        last edited by

                                        Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

                                        bmeeksB 1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks @newUser2pfSense
                                          last edited by

                                          @newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

                                          Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

                                          How many files and of what size are located in the interface's log directory? You will find all the logs in sub-directories (one per interface) under /var/log/suricata. I tested downloading a tarball gzip file of alerts during the last code update, but I don't recall if there were multiple alert files in the sub-directory at the time.

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            newUser2pfSense
                                            last edited by

                                            I have Suricata pointed to only one interface at present. In the /var/log/suricata directory, there is a suricata_rules_update.log file that's 3.7 KB in size and one directory named suricatat_igb715464. In the suricatat_igb715464 directory, there is only one alerts.log file which is the name of the file in the downloaded tar.gz file that has a size of 242.8 KB. Interestingly, there is only one http.log file, multiple stats.log files, one suricata.log file, and two tls.log files.

                                            bmeeksB 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.