Suricata 4.1.2_2 Bug Fix Update -- Release Notes

bmeeks

Suricata 4.1.2_2 Package Update

This update for the pfSense package of Suricata corrects one bug. There are no new features nor feature changes in this release.

Important: refer to the instructions for the Suricata 4.1.2_1 package update here for details on how to install this upgrade!

New Features:

None

Bug Fixes:

• SID MGMT changes not being applied to rules due to incorrect legacy RULES_DIR path being used.

digdug3

@bmeeks : Found another (small) bug:
Interfaces -> Edit interface -> Categories:
Ruleset: Snort GPLv2 Community Rules is displayed as:
{$msg_community}

bmeeks

@digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

@bmeeks : Found another (small) bug:
Interfaces -> Edit interface -> Categories:
Ruleset: Snort GPLv2 Community Rules is displayed as:
{$msg_community}

I'm not seeing this in my test virtual machine. Here is a screenshot of that part of the CATEGORIES tab showing the Snort GPLv2 Community Rules --

digdug3

Ok, let me just wait until the release has been approved.

bmeeks

@digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Ok, let me just wait until the release has been approved.

There are no changes in that section of the code in the 4.1.2_2 release as compared to the 4.1.2_1 release. So the issue, if present for you, should also be in the 4.1.2_1 package version.

newUser2pfSense

I'm also receiving an error message in the WAN Rules of Suricata 4.1.2_1:

The following input errors were detected:
app-layer-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.

I've forced an update and still get the message. Not sure why.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

I'm also receiving an error message in the WAN Rules of Suricata 4.1.2_1:

The following input errors were detected:
app-layer-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.

I've forced an update and still get the message. Not sure why.

Check the directory /usr/local/share/suricata/rules for that file. It should be there, especially on AMD64 builds. Do you by chance have an SG-3100 appliance or some other non-Intel based CPU box?

newUser2pfSense

Hi Bill...I checked the directory you listed and it's not there. I have a custom home built Intel based computer I'm using for pfSense.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Hi Bill...I checked the directory you listed and it's not there. I have a custom home built Intel based computer I'm using for pfSense.

Let's try a totally clean install of Suricata.

1. Be sure "save settings" is checked on the GLOBAL SETTINGS tab.

2. Next, go to SYSTEM > PACKAGE MANAGER Installed Packages and delete the package from the firewall.

3. When the removal process completes, open a firewall CLI session (shell prompt) and search for any of the following directories:
   /usr/local/pkg/suricata
   /usr/local/etc/suricata
   /usr/local/www/suricata
   /usr/local/share/suricata

4. Remove any directories and their content you see from the list above with this command:

rm -rf /usr/local/xxx/suricata

(where xxx is replaced by the directory name from the list above)

5. Return to the SYSTEM > PACKAGE MANAGER page and install Suricata again from the Available Packages tab. Wait for the process to fully complete before leaving the page!

Report back the results and/or any error messages if it does not work then.

newUser2pfSense

Bill...I followed your instructions. It looks like I'm back in business. Thanks for your support!

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Bill...I followed your instructions. It looks like I'm back in business. Thanks for your support!

How did you install the package upgrade originally? Did you follow the instructions to completely remove Suricata and then install it again, or did you just click the package re-install icon?

newUser2pfSense

I actually just clicked the package re-install icon. I guess from now on I'll use your instructions before upgrading to the newest version.

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

I actually just clicked the package re-install icon. I guess from now on I'll use your instructions before upgrading to the newest version.

For this update, following the instructions was crucial because some PHP files had to be updated that pfSense will "cache". Thus clicking the "reinstall" icon will cause pfSense to use the "old" cached versions of these critical files. This causes some of the new settings that are required to be updated to get missed. Removing the package dumps the PHP cache, so during installation the new properly updated files get executed and those files will update your saved configuration.

In your case, by not dumping the package first, those cached files were reused during some of the installation and critical parts of your saved configuration did not get updated.

digdug3

@bmeeks Just got the update, installed it:
(
This is on FireFox 64.0.2 (64bit).

bmeeks

@digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

@bmeeks Just got the update, installed it:
(
This is on FireFox 64.0.2 (64bit).

Hmm...might be an artifact (syntax problem, really) that results from the rule category being managed by SID MGMT. I will test that and post a fix. There are some tests in the logic for various conditions and an appropriate message is loaded into that variable based on the tests. The code is supposed to display the contents of the variable instead of its name, so I will need to see where I screwed up the syntax. Probably missed a quotation mark someplace ... .

digdug3

@bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

bmeeks

@digdug3 said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

@bmeeks Not really a problem, you can click it and it also goes to the correct ruleset. Just cosmetic.

Yes, it is just cosmetic; but I will get it fixed nonetheless. May wait a day or two to see if any other issues surface, and then put together a package update.

newUser2pfSense

Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

bmeeks

@newuser2pfsense said in Suricata 4.1.2_2 Bug Fix Update -- Release Notes:

Hey Bill...after re-installing Suricata per your instructions yesterday, I just downloaded the alerts to find the tar.gz file is 1.1 MB in size with only one 240.5 kB file inside. There should have been multiple files around 500 kB in size in the tar.gz file. It looks like Suricata is not using the Auto Log Management that I have set to default. Have you seen this by chance?

How many files and of what size are located in the interface's log directory? You will find all the logs in sub-directories (one per interface) under /var/log/suricata. I tested downloading a tarball gzip file of alerts during the last code update, but I don't recall if there were multiple alert files in the sub-directory at the time.

newUser2pfSense

I have Suricata pointed to only one interface at present. In the /var/log/suricata directory, there is a suricata_rules_update.log file that's 3.7 KB in size and one directory named suricatat_igb715464. In the suricatat_igb715464 directory, there is only one alerts.log file which is the name of the file in the downloaded tar.gz file that has a size of 242.8 KB. Interestingly, there is only one http.log file, multiple stats.log files, one suricata.log file, and two tls.log files.