Suricata v4.1.6_1 - Package update Release Notes
-
Suricata-4.1.6_1
This GUI package update provides support for the latest version of the Suricata binary (v4.1.6). It also corrects five bugs and adds four new features.
Note: support for the Suricata 5.0.1 binary is forthcoming, but that version will ONLY run on Intel/AMD64 hardware as of now due to the decision from upstream to make Rust a requirement for compiling the 5.x binary. Currently there is no method for compiling Rust to support installing the Suricata 5.x binary on ARM-based hardware such as the SG-1000, SG-1100 and SG-3100 Netgate appliances. I am working with the pfSense developer team to come up with a method to maintain a 4.x version of Suricata for ARM hardware while the 5.x version is made available for Intel/AMD64 hardware.
New Features:
-
Added column sorting to the RULES tab so it behaves the same as the ALERTS tab.
-
Make filters on ALERTS tab sticky across other actions such as suppressing alerts or disabling a SID. Currently any applied filter resets. See Redmine Issue #9902.
-
Highlight rules with "noalerts;" option on RULES tab by coloring the text using the Bootstrap class "text-success" and using a different ACTION icon. Note that you cannot change the action for these rules. The noalert; option overrides the action verb in such rules, so there is no point in changing the action. If you want such rules to actually alert, then you would need to alter the rule content to remove the noalert; option.
-
Added option to set unique logging directory for file-store configuration section in
suricata.yaml
.
Bug Fixes:
-
When creating HOME_NET and EXTERNAL_NET (and other ipvars), make sure there is a comma followed by a space for each IP entry. Failure to do so with intermixed IPv4 and IPv6 addresses results in failure to start with no ERRCODE given. See Suricata Redmine Issue #3222.
-
Use of explode() function in
suricata_interfaces_edit.php
generates a warning because the second parameter of the function call is not interpreted as an empty string due to being uninitialized on green-field installs. -
When SID MGMT changes rules to DROP or REJECT, it is not skipping rules containing a "flowbits:noalert;" tag. This can result in dropped traffic without any logged alert about the drop or reject action.
-
The IP Reputation List enable option on the IPREP tab actually defaults to "ON" when it should default to "OFF". See Redmine Issue #9981.
-
Maxmind GeoLite2 IP DB now requires a license key for GeoIP2 database downloads. Add support for user-supplied license key.
-
-
Re: Suricate 5.0.1 and AMD64/ARM.... Just curious, but what about Intel hardware e.g. Intel Core i5-5250U?
-
Hi bmeeks,
Since the last update of Suricata-4.1.6_1 my Geoip drop rules are nothing to do.-
Geoip drop rules are no actions.
-
no drop logs in eve.json.
-
Remove and reinstall suricata do nothing, same things.
-
No error log in suricata log :
rules successfully loaded, 0 rules failed engine started.
- GeoLite2 IP DB downloaded fine with license key :
ls -l /usr/local/share/suricata/GeoLite2 total 4000 -rw-r--r-- 1 root wheel 4044800 Jan 8 10:37 GeoLite2-Country.mmdb
- Geoip lib :
suricata --build-info GeoIP support: yes, libmaxminddb
Thanks in advance !
best regards. -
-
@occamsrazor said in Suricata v4.1.6_1 - Package update Release Notes:
Re: Suricate 5.0.1 and AMD64/ARM.... Just curious, but what about Intel hardware e.g. Intel Core i5-5250U?
In the FreeBSD package world, AMD64 means Intel as well sinces those two chips execute essentially identical instructions; and binary code that runs on one will run on the other.
ARM hardware uses a completely different binary instruction set (the opcodes are quite different), thus a separate compilation environment is required to create ARM code. Intel/AMD code is identical and so you can compile for either chip using the same compilation environment.
-
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Hi bmeeks,
Since the last update of Suricata-4.1.6_1 my Geoip drop rules are nothing to do.-
Geoip drop rules are no actions.
-
no drop logs in eve.json.
-
Remove and reinstall suricata do nothing, same things.
-
No error log in suricata log :
rules successfully loaded, 0 rules failed engine started.
- GeoLite2 IP DB downloaded fine with license key :
ls -l /usr/local/share/suricata/GeoLite2 total 4000 -rw-r--r-- 1 root wheel 4044800 Jan 8 10:37 GeoLite2-Country.mmdb
- Geoip lib :
suricata --build-info GeoIP support: yes, libmaxminddb
Thanks in advance !
best regards.Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
-
-
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
My Geoip does not contain the noalert; option
This is a simple Geoip rule :
drop ip any any -> any any (msg:"ASIA GEOIP"; geoip:AA,AF,AM,AZ,BH,BD,BT,IO,IN,BN,KH,KR,CX,CC,GE,JO,HK,ID,IR,IQ,KZ,KW,KG,LA,LB,LK,MO,MV,MN,MM,NP,KP,OM,PK,PH,SA,SY,TJ,TH,TR,TM,UZ,VN,YE; classtype:bad-unknown; sid:9900057; rev:1;)
In the previous version of suricata, the rule match, drop and log.
-
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
My Geoip does not contain the noalert; option
This is a simple Geoip rule :
drop ip any any -> any any (msg:"ASIA GEOIP"; geoip:AA,AF,AM,AZ,BH,BD,BT,IO,IN,BN,KH,KR,CX,CC,GE,JO,HK,ID,IR,IQ,KZ,KW,KG,LA,LB,LK,MO,MV,MN,MM,NP,KP,OM,PK,PH,SA,SY,TJ,TH,TR,TM,UZ,VN,YE; classtype:bad-unknown; sid:9900057; rev:1;)
In the previous version of suricata, the rule match, drop and log.
I am looking into this. It does not work for me either, but I made no GeoIP related changes in the binary at all. The only change was to provide a license key when downloading the MaxMind DB. I am reasonably sure that is unrelated to GeoIP rules not working. I'm beginning to wonder if it is a change from upstream in the binary. A different person did post a patch on Suricata upstream for the GeoIP area in the
configure.ac
file that was accepted into version 4.1.6. I'm investigating that change to see if if it might have an unanticipated consequence.It will take me a few minutes to accomplish, but I will create a version 4.1.5 binary and test it with the current GUI code. That will tell me if the issue is coming from Suricata upstream or not.
-
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
My Geoip does not contain the noalert; option
This is a simple Geoip rule :
drop ip any any -> any any (msg:"ASIA GEOIP"; geoip:AA,AF,AM,AZ,BH,BD,BT,IO,IN,BN,KH,KR,CX,CC,GE,JO,HK,ID,IR,IQ,KZ,KW,KG,LA,LB,LK,MO,MV,MN,MM,NP,KP,OM,PK,PH,SA,SY,TJ,TH,TR,TM,UZ,VN,YE; classtype:bad-unknown; sid:9900057; rev:1;)
In the previous version of suricata, the rule match, drop and log.
I am looking into this. It does not work for me either, but I made no GeoIP related changes in the binary at all. The only change was to provide a license key when downloading the MaxMind DB. I am reasonably sure that is unrelated to GeoIP rules not working. I'm beginning to wonder if it is a change from upstream in the binary. A different person did post a patch on Suricata upstream for the GeoIP area in the
configure.ac
file that was accepted into version 4.1.6. I'm investigating that change to see if if it might have an unanticipated consequence.It will take me a few minutes to accomplish, but I will create a version 4.1.5 binary and test it with the current GUI code. That will tell me if the issue is coming from Suricata upstream or not.
Ok, thank you very much for your investigations !
-
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
My Geoip does not contain the noalert; option
This is a simple Geoip rule :
drop ip any any -> any any (msg:"ASIA GEOIP"; geoip:AA,AF,AM,AZ,BH,BD,BT,IO,IN,BN,KH,KR,CX,CC,GE,JO,HK,ID,IR,IQ,KZ,KW,KG,LA,LB,LK,MO,MV,MN,MM,NP,KP,OM,PK,PH,SA,SY,TJ,TH,TR,TM,UZ,VN,YE; classtype:bad-unknown; sid:9900057; rev:1;)
In the previous version of suricata, the rule match, drop and log.
I am looking into this. It does not work for me either, but I made no GeoIP related changes in the binary at all. The only change was to provide a license key when downloading the MaxMind DB. I am reasonably sure that is unrelated to GeoIP rules not working. I'm beginning to wonder if it is a change from upstream in the binary. A different person did post a patch on Suricata upstream for the GeoIP area in the
configure.ac
file that was accepted into version 4.1.6. I'm investigating that change to see if if it might have an unanticipated consequence.It will take me a few minutes to accomplish, but I will create a version 4.1.5 binary and test it with the current GUI code. That will tell me if the issue is coming from Suricata upstream or not.
Ok, thank you very much for your investigations !
It's getting more puzzling. What Suricata version were you running that was working prior to this latest 4.1.6 update? Were you running 4.1.5, or something even older?
I have tried the 4.1.6 binary, the 4.1.5 binary, and now I'm trying the 4.1.4 binary and none are working for me. I'm beginning to wonder if the actual
libmaxminddb
library has changed. The next step is to compile a debug version of the Suricata binary and start stepping through the code to see what's changed.I did find that the new GeoIP2 download code that uses the license key is unzipping a database with an error in it, but in testing I got around that by copying over a known good database and running the
mmdblookup
utility. So I know I have a valid database, but even with that, the Suricata binary is not triggering the GeoIP rules. -
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
Do your custom GeoIP rules by chance contain the noalert; option? I would not think so, but that is the only thing that changed in the package code logic with this release.
Will you post one or two of your GeoIP rules and let me take a look (and test them myself)?
My Geoip does not contain the noalert; option
This is a simple Geoip rule :
drop ip any any -> any any (msg:"ASIA GEOIP"; geoip:AA,AF,AM,AZ,BH,BD,BT,IO,IN,BN,KH,KR,CX,CC,GE,JO,HK,ID,IR,IQ,KZ,KW,KG,LA,LB,LK,MO,MV,MN,MM,NP,KP,OM,PK,PH,SA,SY,TJ,TH,TR,TM,UZ,VN,YE; classtype:bad-unknown; sid:9900057; rev:1;)
In the previous version of suricata, the rule match, drop and log.
I am looking into this. It does not work for me either, but I made no GeoIP related changes in the binary at all. The only change was to provide a license key when downloading the MaxMind DB. I am reasonably sure that is unrelated to GeoIP rules not working. I'm beginning to wonder if it is a change from upstream in the binary. A different person did post a patch on Suricata upstream for the GeoIP area in the
configure.ac
file that was accepted into version 4.1.6. I'm investigating that change to see if if it might have an unanticipated consequence.It will take me a few minutes to accomplish, but I will create a version 4.1.5 binary and test it with the current GUI code. That will tell me if the issue is coming from Suricata upstream or not.
Ok, thank you very much for your investigations !
It's getting more puzzling. What Suricata version were you running that was working prior to this latest 4.1.6 update? Were you running 4.1.5, or something even older?
I have tried the 4.1.6 binary, the 4.1.5 binary, and now I'm trying the 4.1.4 binary and none are working for me. I'm beginning to wonder if the actual
libmaxminddb
library has changed. The next step is to compile a debug version of the Suricata binary and start stepping through the code to see what's changed.I did find that the new GeoIP2 download code that uses the license key is unzipping a database with an error in it, but in testing I got around that by copying over a known good database and running the
mmdblookup
utility. So I know I have a valid database, but even with that, the Suricata binary is not triggering the GeoIP rules.Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
It's a DB file problem,
i have removed the suricata DB file downloaded with license key :cd /usr/local/share/suricata/GeoLite2/ rm GeoLite2-Country.mmdb
Then i created a link from pfblokerng DB (DB version is from december) to the suricata Geolite directory :
ln GeoLite2-Country.mmdb /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb
Then i restarted suricata and Geoip rules working good.
-
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
-
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
Sorry, I've edited my last post, see above, i think, it's a DB file problem.
Geoip rules working good with Pfblokerng DB file from december DB. -
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
I've edited my last post, see above, i think, it's a DB file problem
Thanks for the update. I will change direction in my investigation and see what's wrong with the new database that is being downloaded. Maybe it is not getting unzipped properly or something. Fixing that will be much easier than chasing down a binary issue.
-
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
Sorry, I've edited my last post, see above, i think, it's a DB file problem.
Geoip rules working good with Pfblokerng DB file from december DB.Okay, I've got this sorted out and will submit a fix for it soon.
The root cause is the new database gzip archive has an extra sub-directory path in it where the actual database is stored. My PHP code was not allowing for that and thus wound up copying a corrupted database over to the shared area where Suricata was looking.
I also shot myself in the foot when investigating the database because I initially was using my own custom rule with a known IP address from Japan for testing. However, later during my testing, I switched over to using your custom rule in my test setup, but I did not notice until MUCH later that your rule does not contain the JP country code for Japan. Thus my tests using the JP IP address were all still failing, even with a "good" database in place. That false result sent me down the path of suspecting the binary ... . When you said copying over the pfBlockerNG database fixed it for you, I went back and carefully checked my testing methodology and discovered the issue with the IP address I was using not actually being covered in your GeoIP rule! Feel really stupid now...
-
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
Sorry, I've edited my last post, see above, i think, it's a DB file problem.
Geoip rules working good with Pfblokerng DB file from december DB.Okay, I've got this sorted out and will submit a fix for it soon.
The root cause is the new database gzip archive has an extra sub-directory path in it where the actual database is stored. My PHP code was not allowing for that and thus wound up copying a corrupted database over to the shared area where Suricata was looking.
I also shot myself in the foot when investigating the database because I initially was using my own custom rule with a known IP address from Japan for testing. However, later during my testing, I switched over to using your custom rule in my test setup, but I did not notice until MUCH later that your rule does not contain the JP country code for Japan. Thus my tests using the JP IP address were all still failing, even with a "good" database in place. That false result sent me down the path of suspecting the binary ... . When you said copying over the pfBlockerNG database fixed it for you, I went back and carefully checked my testing methodology and discovered the issue with the IP address I was using not actually being covered in your GeoIP rule! Feel really stupid now...
That's a good news !
Thank you very much bmeeks !Oh my god !
you're going around in circles just for my missing country code in my rule.
Sorry for this mistake.I'm waiting the update, thank's for all bmeeks !
Best regards. -
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
@jm1384 said in Suricata v4.1.6_1 - Package update Release Notes:
Prior to 4.1.6 i'm using the 4.1.5 version and all Geoip rules working fine to me.
Thanks. I'm looking into what the problem could be. Creating a debug build now so I can trace the actual code execution in the binary as it attempts a geoip lookup.
Sorry, I've edited my last post, see above, i think, it's a DB file problem.
Geoip rules working good with Pfblokerng DB file from december DB.Okay, I've got this sorted out and will submit a fix for it soon.
The root cause is the new database gzip archive has an extra sub-directory path in it where the actual database is stored. My PHP code was not allowing for that and thus wound up copying a corrupted database over to the shared area where Suricata was looking.
I also shot myself in the foot when investigating the database because I initially was using my own custom rule with a known IP address from Japan for testing. However, later during my testing, I switched over to using your custom rule in my test setup, but I did not notice until MUCH later that your rule does not contain the JP country code for Japan. Thus my tests using the JP IP address were all still failing, even with a "good" database in place. That false result sent me down the path of suspecting the binary ... . When you said copying over the pfBlockerNG database fixed it for you, I went back and carefully checked my testing methodology and discovered the issue with the IP address I was using not actually being covered in your GeoIP rule! Feel really stupid now...
That's a good news !
Thank you very much bmeeks !Oh my god !
you're going around in circles just for my missing country code in my rule.
Sorry for this mistake.I'm waiting the update, thank's for all bmeeks !
Best regards.It was my fault for not double-checking the IP. It just did not cross my mind. I chose the IP initially anyway, and then did not verify that your rule covered the IP I had arbitrarily chosen. My fault all the way ... .
There is a happy ending, though. It gives me a chance to make the GeoIP database download script more robust. Also have it checking the posted MD5 hash on the MaxMind site against what is already present on the firewall so that it only downloads a new database when there is a mismatch. I'm going to change the check for a new database version back to once per day since it will only be downloading and checking the 32 byte MD5 file. If the MD5 on the firewall differs from the posted MD5 on the MaxMind site, then it will download the entire database (approximately 4 MB).
-
The problems with GeoIP database downloads and loss of GeoIP functionality in the Suricata 4.1.6 package have been identified and corrected. Look for an update to 4.1.6_2 to show up in the near future. Here is a link to the pull request containing the fix: https://github.com/pfsense/FreeBSD-ports/pull/749.
-
@bmeeks said in Suricata v4.1.6_1 - Package update Release Notes:
The problems with GeoIP database downloads and loss of GeoIP functionality in the Suricata 4.1.6 package have been identified and corrected. Look for an update to 4.1.6_2 to show up in the near future. Here is a link to the pull request containing the fix: https://github.com/pfsense/FreeBSD-ports/pull/749.
Thank's bmeeks for the pull request !
-
Updated 4.1.6_1 to 4.1.6_2 today (Removed and reinstalled package) and database was corrupted after extraction :
System log :[Suricata] A new GeoLite2-Country IP database is available. [Suricata] Downloading new GeoLite2-Country IP database... [Suricata] New GeoLite2-Country IP database gzip archive successfully downloaded. [Suricata] Extracting new GeoLite2-Country database from the archive... [Suricata] Moving new database to /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb... [Suricata] GeoLite2-Country database update completed. [Suricata] Cleaning up temp files after GeoLite2-Country database update.
Suricata log :
Failed to open GeoIP2 database: /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb. Error was: The MaxMind DB file contains invalid metadata. GeoIP rule matching is disabled.
Temp fix :
Create a link from PfblockerNG Maxmind DB to the suricata Geolite directory :cd /usr/local/share/suricata/GeoLite2/ rm GeoLite2* cd /usr/local/share/GeoIP ln GeoLite2-Country.mmdb /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb ls -l GeoLite2-Country.mmdb -rw-r--r-- 2 root wheel 4035535 Jan 7 00:45 GeoLite2-Country.mmdb
-
@jm1384 For me it works...no errors:
Also checked the log here /var/log/suricata/suricata_[interface]/suricata.log, and found no errors.