Suricata v4.1.4_7 Package Update Release Notes (pfSense-2.4.4_3)



  • pfSense-pkg-suricata-4.1.4_7

    !! IMPORTANT NOTICE !!
    Do NOT install this update. It contains a nasty bug that will overwrite your most recently created Suricata interface with the settings from your first configured interface. The overwritten interface will be lost. A fix has been posted for the pfSense team to review and merge, but that probably won't happen until Monday, August 26, at the earliest! Look for a new package with version 4.1.4_8 and install that one, but avoid installing 4.1.4_7.

    If you have already installed package version 4.1.4_7 and notice a duplicate interface and your last interface is missing, then you can restore from a previous config.xml backup to bring back the original configuration. You can also simply delete the duplicate interface and create the missing one from scratch.

    This update fixes an issue with displaying the last rules update job status and corrects the spelling of a syslog() PRIORITY constant in the GeoIP2 database update cron task script.

    Formerly the rules update status info was stored in the config.xml file, but that resulted in unnecessary backups of config.xml with each rules update job run. A previous package update removed the call to write_config() that was generating the unnecessary backup, but that prevented the recording of rules update time and status. The rules update execution time and status are now recorded locally in a small file on the firewall.

    New Features:
    None

    Bug Fixes:

    1. A PHP warning message is generated in the crash log due to use of an unknown constant in a call to the syslog() function in the GeoIP2 database update cron task.

    2. Rules update task info (execution time and status) is displaying as either "unknown" or the last package installation date and time.



  • Hello @bmeeks,

    Thank you for the release.

    I have a little problem after the update. I tried to uninstall/reinstall also.

    Before the update I had Suricata running on WAN and LAN.

    In Suricata interfaces the WAN interface is doubled now, although you can change it from the drop down box. But if I just select the interface that way, I will loose the selection of the rules for LAN, I had different rules for WAN and LAN.

    suricata interfaces.png

    Also the installation logs, shows that the rules are updated only for WAN interface as we can see:

    Installing Emerging Threats Open rules... done.
    Installing Snort rules... done.
    Updating rules configuration for: WAN ... done.
    Updating rules configuration for: WAN ... done.
    Cleaning up after rules extraction... done.
    The Rules update has finished.
    Generating suricata.yaml configuration file from saved settings.
    Generating YAML configuration file for WAN... done.
    Generating YAML configuration file for WAN... done.
    Finished rebuilding Suricata configuration from saved settings.
    Setting package version in configuration file.
    done.
    Executing custom_php_resync_config_command()...done.
    Menu items... done.
    Services... done.
    Writing configuration... done.

    Please let me know if I can revert to a previous package, or do a workaround, until next release. Thanks



  • @NRgia said in Suricata v4.1.4_7 Package Update Release Notes (pfSense-2.4.4_3):

    Hello @bmeeks,

    Thank you for the release.

    I have a little problem after the update. I tried to uninstall/reinstall also.

    Before the update I had Suricata running on WAN and LAN.

    In Suricata interfaces the WAN interface is doubled now, although you can change it from the drop down box. But if I just select the interface that way, I will loose the selection of the rules for LAN, I had different rules for WAN and LAN.

    suricata interfaces.png

    Also the installation logs, shows that the rules are updated only for WAN interface as we can see:

    Installing Emerging Threats Open rules... done.
    Installing Snort rules... done.
    Updating rules configuration for: WAN ... done.
    Updating rules configuration for: WAN ... done.
    Cleaning up after rules extraction... done.
    The Rules update has finished.
    Generating suricata.yaml configuration file from saved settings.
    Generating YAML configuration file for WAN... done.
    Generating YAML configuration file for WAN... done.
    Finished rebuilding Suricata configuration from saved settings.
    Setting package version in configuration file.
    done.
    Executing custom_php_resync_config_command()...done.
    Menu items... done.
    Services... done.
    Writing configuration... done.

    Please let me know if I can revert to a previous package, or do a workaround, until next release. Thanks

    I know what the problem is. Unfortunately you are going to have to recreate your LAN from scratch or else restore a config.xml backup from before the Suricata update. I fixed this in Snort but did not see it in the Suricata code. There is now a difference apparently in the way PHP treats by-reference array iterators. The bug in the GUI code is part of the post-install script that runs after the package is installed. It essentially overwrites the last entry in the array of configured Suricata interfaces with the first one. For a user with the normal two interfaces (WAN and LAN), this means LAN gets overwritten with WAN's setup.

    I will get a fix posted, but since it is the weekend I doubt the pfSense team can merge it until Monday. So in the meantime, you have three optiions:

    1. Delete that extra WAN interface and recreate LAN from scratch.

    2. Restore a config.xml backup from before you updated Suricata. That should restore the missing interface but leave the Suricata package at the current new version.

    3. Copy and paste the LAN section from an older config.xml into the current file (risky, but doable if you are comfortable reading XML).



  • The bug present in this version of the Suricata package has been corrected in the latest 4.1.4_8 version of Suricata for pfSense-2.4.4_3. Please install only the 4.1.4_8 or later version of the Suricata package.



  • FYI: We have been running Suricata 4.1.4_5 and when I logged in to the fw this morning both interfaces had changed to WAN suddenly. I do not recall them being both WAN after update to 4.1.4_5.

    Maybe there is another bug similar to this or even older versions of suricata is affected ?



  • @btspce said in Suricata v4.1.4_7 Package Update Release Notes (pfSense-2.4.4_3):

    FYI: We have been running Suricata 4.1.4_5 and when I logged in to the fw this morning both interfaces had changed to WAN suddenly. I do not recall them being both WAN after update to 4.1.4_5.

    Maybe there is another bug similar to this or even older versions of suricata is affected ?

    The potential for the bug exists in the GUI code going back for many versions, but the buggy code exists only in a single PHP file that is only executed during a package upgrade or install. The specific PHP module is called to migrate existing configuration settings to the new version being installed. That code would not be called just "out of the blue" during normal operation.

    I believe the bug was triggered by some recent changes in the way the PHP engine itself handles something called iterators in foreach() loops. The same Suricata PHP code has existed for several years, but something recently made it start "expressing itself". I think that something was a change in how the PHP engine handles array iterators at the end of a loop..


Log in to reply