Suricata 4.1.2_3 update broke ruleset?
-
Hi;
Updated to 4.1.2_3 and noticed that many of my ET rulesets are not being applied (reputation and compromised).
They appear to be enabled, this config hasn't really had issues for years.
When I look at the rules, I see the following error box now in red for the interface:
The following input errors were detected:
decoder-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.
Updating the rules doesn't appear to do much nor do any settings appear to have been changed.
Any suggestions?
Thanks
-
@xtal said in Suricata 4.1.2_3 update broke ruleset?:
Hi;
Updated to 4.1.2_3 and noticed that many of my ET rulesets are not being applied (reputation and compromised).
They appear to be enabled, this config hasn't really had issues for years.
When I look at the rules, I see the following error box now in red for the interface:
The following input errors were detected:
decoder-events.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.
Updating the rules doesn't appear to do much nor do any settings appear to have been changed.
Any suggestions?
Thanks
Your update did not fully install. That file is part of the base package and is never updated by rules updates.
Remove Suricata and install it again. DO NOT just click the reinstall icon, delete the package and install it again from the Available Packages tab on the SYSTEM > PACKAGE MANAGER screen.
When you performed the update to Suricata, did you follow the posted instructions in this thread: https://forum.netgate.com/topic/139365/suricata-v4-1-2_1-package-update-release-notes. Did you completely remove the package and then install it again, or did you simply click "reinstall" to do the update? Your issue would usually be caused by failing to remove the package first. That will cause you to get bitten by the "caching bug" mentioned in the release notes.
-
Thank you!
No, I didn’t follow the recommendation, mainly because I wasn’t aware of it.
I’ll uninstall and reinstall.. although, it would be good to build this into the package manager so people can’t hang themselves on future updates. Will check going forward.
Will this remove the existing rules configuration, if so can this be backed up?
-
@xtal said in Suricata 4.1.2_3 update broke ruleset?:
Thank you!
No, I didn’t follow the recommendation, mainly because I wasn’t aware of it.
I’ll uninstall and reinstall.. although, it would be good to build this into the package manager so people can’t hang themselves on future updates. Will check going forward.
Will this remove the existing rules configuration, if so can this be backed up?
Unfortunately Package Manager within pfSense does not currently have the capability for displaying custom messages about package updates.
There is a checkbox on the GLOBAL SETTINGS tab that is checked by default. That setting, when checked, preserves all of your Suricata settings in the firewall's configuration even when the Suricata package itself is removed. So you will not lose your configuration by removing and then reinstalling Suricata. Should you ever wish to completely remove the package including any previous configuration, then you would uncheck that box, save the change and then remove the package.
-
Great. Back up and running now. Thanks!