Suricata v4.1.4_2 Package -- Release Notes



  • Suricata v4.1.4_2 Release Notes

    This update to the GUI package incorporates the use of the PHP syslog() function for logging both informational and error messages so that a SEVERITY_LEVEL flag can be associated with each message. This lets users sending the logs for automated analysis on remote systems parse log messages by Severity (LOG_ERR, LOG_ALERT, LOG_WARN or LOG_NOTICE). Formerly all Suricata log messages were logged with Severity LOG_ERR, even those that were merely informational in nature.

    This update also includes three bug fixes and two new features.

    Changes Log:

    1. Update the example Snort 2.9.x rules snapshot filename on the GLOBAL SETTINGS tab in the Snort Subsriber Rules section to the most recent Snort 2.9.x version.

    2. Add a warning under the Snort rules snapshot filename text box advising the user to not use Snort3 rules as they are incompatible with Suricata and will break the Suricata installation if installed.

    New Features:

    1. Suricata log messages to the system log now contain SEVERITY LEVEL to facilitate parsing of the messages using remote log analysis tools. Redmine Issue #8501.

    2. The blocking mode (Legacy, Inline or Disabled) is now shown for each interface on the INTERFACES tab. Formerly only ENABLED or DISABLED were shown.

    Bug Fixes:

    1. Fix display of Suricata and Barnyard2 status icons on the INTERFACES tab so that icons update properly when the underlying interface is a VLAN.

    2. On a package re-install, check for missing classification.config, reference.config or threshold.config files in each interface sub-directory and restore any missing files by copying in the *.config.sample equivalent. This prevents subsequent start-up errors for missing files. See Redmine Issues #9195 and #9202.

    3. Suricata fails to start on interfaces using a /31 subnet mask (point-to-point networks) when blocking mode is enabled. Redmine Issue #9031.



  • Thank you for the continuous support.

    1 feedback and 1 question

    Feedback:

    Under IPS Mode I still see only two options IPS and Legacy, I don't see the disable option

    Package was removed and then installed again.

    "Keep Suricata Settings After Deinstall" was checked.

    1. When removing and installing Suricata the following message will be displayed:

    Message from mysql56-client-5.6.41:


    Please be aware the database client is vulnerable
    to CVE-2015-3152 - SSL Downgrade aka "BACKRONYM".
    You may find more information at the following URL:

    http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html

    Although this database client is not listed as
    "affected", it is vulnerable and will not be
    receiving a patch. Please take note of this when
    deploying this software.

    Should we have any worries about the above ?

    Thank you



  • @NRgia said in Suricata v4.1.4_2 Package -- Release Notes:

    Thank you for the continuous support.

    1 feedback and 1 question

    Feedback:

    Under IPS Mode I still see only two options IPS and Legacy, I don't see the disable option

    Package was removed and the installed again.

    Keep Suricata Settings After Deinstall was checked.

    1. When removing and installing Suricata the following message will be displayed:

    Message from mysql56-client-5.6.41:


    Please be aware the database client is vulnerable
    to CVE-2015-3152 - SSL Downgrade aka "BACKRONYM".
    You may find more information at the following URL:

    http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html

    Although this database client is not listed as
    "affected", it is vulnerable and will not be
    receiving a patch. Please take note of this when
    deploying this software.

    Should we have any worries about the above ?

    Thank you

    To disable blocking, you uncheck the Block Offenders checkbox. The "DISABLED" I was talking about is shown under the Suricata Status column on the INTERFACES tab where you start and stop Suricata instances. That column formerly only said ENABLED or DISABLED for blocking. Now, when enabled, it shows you which mode.

    The MySQL client is only used if you enable Barnyard2. This is one of the issues with Barnyard2. It is super old and not maintained anymore, so its dependencies are old. I would really like to just remove Barnyard2 from the package someday. To answer your question, I would not worry about the warning, especially if you don't use Barnyard2, since then MySQL won't be loaded at all.



  • @bmeeks said in Suricata v4.1.4_2 Package -- Release Notes:

    To disable blocking, you uncheck the Block Offenders checkbox. The "DISABLED" I was talking about is shown under the Suricata Status column on the INTERFACES tab where you start and stop Suricata instances. That column formerly only said ENABLED or DISABLED for blocking. Now, when enabled, it shows you which mode.
    The MySQL client is only used if you enable Barnyard2. This is one of the issues with Barnyard2. It is super old and not maintained anymore, so its dependencies are old. I would really like to just remove Barnyard2 from the package someday. To answer your question, I would not worry about the warning, especially if you don't use Barnyard2, since then MySQL won't be loaded at all.

    Sorry, it seems I misunderstood the release notes. Working as implemented.

    Thank you



  • i have a problem after the re-installation of suricata 4.1.4_2

    Starting rules update...  Time: 2019-06-06 20:20:06
    	Downloading Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules md5 download failed.
    	Server returned error code 404.
    	Server error message was: 404 Not Found
    	Emerging Threats Open rules will not be updated.
    	Downloading Snort VRT rules md5 file...
    	Checking Snort VRT rules md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort GPLv2 Community Rules md5 file...
    	Checking Snort GPLv2 Community Rules md5 file...
    	Snort GPLv2 Community Rules are up to date.
    The Rules update has finished.  Time: 2019-06-06 20:20:08
    

    maybe is a temporary problem. i'm on pfsense 2.5.0



  • Very likely a temporary issue, especially since it only affected the Emerging Threats rules. Snort rules updates were fine. 99.5% of the time, these 404 errors when updating rules are due to issues on the hosting web site or service. There is some hidden complexity on the rules websites with all the code that has to sense a posted update to a file and then generate the new MD5 checksums for the new file. Lots of little ways that can get out of sync and then lead to errors when users attempt to download. Also remember these sites are hosted on CDNs, so two different clients doing DNS lookups a few minutes apart might be given totally different IP addresses for the same domain. The files may be fine on one server but messed up on another server, so depending on what particular IP your firewall received, it may have gotten pointed to a bad setup.

    So when this happens, don't panic. Just let the process try again at the next update, or you can wait an hour or two and then click the Update button on the UPDATES tab to manually check for an update. If every single update for multiple attempts results in the same error, then yeah it might be an actual package bug. But the exact same PHP code is used for downloading all the possible rules (Snort Subscriber, Emerging Threats, OpenAppID and Snort Community). It is a sub-routine that is called repeatedly using a different URL each time. So if any of the rules update, the firewall code is working just fine.

    My own firewall updated just fine at 1:30 PM US Eastern today. Here is the log snippet:

    Starting rules update...  Time: 2019-06-06 13:30:00
    	Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...
    	Checking Snort Subscriber rules md5 file...
    	There is a new set of Snort Subscriber rules posted.
    	Downloading file 'snortrules-snapshot-29120.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort Subscriber Ruleset...
    	Using Snort Subscriber precompiled SO rules for FreeBSD-11 ...
    	Installation of Snort Subscriber rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Updating rules configuration for: DMZ ...
    	Updating rules configuration for: LAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2019-06-06 13:30:44
    


  • @bmeeks I am having some trouble with the update. I saw there was a new version so I ran the update but didn't watch closely. After it said it was successful, I went to go to the settings, and "Suricata" was missing from the Services drop down. I went to Status -> Services and it wasn't listed there either, and if I ran "ps ax" from the CLI I didn't see suricata listed there either.

    I rebooted the firewall but suricata still didn't start. I went into package manager again and it still showed that it was installed, so I clicked on the "reinstall" button. That is still in process - it has been sitting at "There is a new set of Snort rules posted. Downloading..." for more than 30 minutes now.

    Looking at the system log now I do see the following errors repeated for each of my interfaces. I had created a custom Disable SID list that was applied to each interface which contains: "pcre:protocol-command-decode".

    Jun 7 22:35:24	barnyard2	17966	ERROR: Unable to open SID file '/usr/local/etc/suricata/suricata_31723_ovpnc7/sid-msg.map' (No such file or directory)
    Jun 7 22:35:24	barnyard2	17966	FATAL ERROR: [Barnyard2Init()], failed while processing [/usr/local/etc/suricata/suricata_31723_ovpnc7/sid-msg.map]
    Jun 7 22:35:24	barnyard2	17966	Barnyard2 exiting
    

    Any ideas how to fix?

    EDIT for additional info: None of the subdirectories referenced in the error messages exist. /usr/local/etc/suricata is there but none of the suricata_xxxx_yyyyyy subdirectories exist. I'm currently trying to figure out how to manually modify the config to disable barnyard on each interface to see if it would start then.

    Thanks,
    -Matt



  • uninstall first than reinstall



  • @mcarson75 said in Suricata v4.1.4_2 Package -- Release Notes:

    @bmeeks I am having some trouble with the update. I saw there was a new version so I ran the update but didn't watch closely. After it said it was successful, I went to go to the settings, and "Suricata" was missing from the Services drop down. I went to Status -> Services and it wasn't listed there either, and if I ran "ps ax" from the CLI I didn't see suricata listed there either.

    I rebooted the firewall but suricata still didn't start. I went into package manager again and it still showed that it was installed, so I clicked on the "reinstall" button. That is still in process - it has been sitting at "There is a new set of Snort rules posted. Downloading..." for more than 30 minutes now.

    Looking at the system log now I do see the following errors repeated for each of my interfaces. I had created a custom Disable SID list that was applied to each interface which contains: "pcre:protocol-command-decode".

    Jun 7 22:35:24	barnyard2	17966	ERROR: Unable to open SID file '/usr/local/etc/suricata/suricata_31723_ovpnc7/sid-msg.map' (No such file or directory)
    Jun 7 22:35:24	barnyard2	17966	FATAL ERROR: [Barnyard2Init()], failed while processing [/usr/local/etc/suricata/suricata_31723_ovpnc7/sid-msg.map]
    Jun 7 22:35:24	barnyard2	17966	Barnyard2 exiting
    

    Any ideas how to fix?

    EDIT for additional info: None of the subdirectories referenced in the error messages exist. /usr/local/etc/suricata is there but none of the suricata_xxxx_yyyyyy subdirectories exist. I'm currently trying to figure out how to manually modify the config to disable barnyard on each interface to see if it would start then.

    Thanks,
    -Matt

    Your install failed in some manner and now you sort of have mess it seems. I always recommend that instead of clicking the Update icon that users instead delete the package and then install it fresh. Your settings will be preserved.

    Reboot your firewall again to wipe out that reinstall process. When the firewall comes back up, go to PACKAGE MANAGER and the Installed Packages tab and delete the Suricata package. Do NOT reinstall. When the deletion completes (don't worry if it complains about missing files, that's expected in your case), then open the Available Packages tab, find Suricata and install it fresh. Make sure you do not leave the screen until the install fully completes. It will have a green bar when finished.



  • Thanks, that did get it working. Not sure what the install issue was but glad it's good now!


Log in to reply