Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata-6.0.3_1 Package Update -- Release Notes (initially for DEVEL Snapshots only)

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 974 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Suricata-6.0.3_1
      This is a pretty significant update for the Suricata package. Because of the introduction of several new features, this update will initially be released only for the Snapshot Development branch of pfSense (so that means 2.6-DEVEL, and perhaps the 21.09 pfSense+ snapshots).

      Note: the FTP, HTTP2 and RFB protocol support; the GeoIP lookup icon; the email, Telegram and Pushover notification features; the FILES tab and File Store browser; and the GID:SID rule text pop-up were contributed by @viktor_g. Thank you Viktor for these enhancements!

      New Features:

      1. Support is added for FTP, HTTP2 and RFB event logging via the EVE JSON log system. These require appropriate rules signatures be provided in order to work. The HTTP2 protocol is still considered experimental in the 6.x Suricata branch, thus the default rules file is not included by default. It can be manually added if desired, or other third-party rules packages may already contain the needed signatures.

      2. Support is added for HTTP2 and RFB application protocol parsing on the APP PARSERS tab.

      3. Add new GeoIP lookup icon to logged alerts and blocked IP addresses on the ALERTS and BLOCKS tabs. The lookup automatically links to an external, public GeoIP lookup site.

      4. Add the ability to enable email, Telegram, and Pushover notifications for rule category and rules archive updates to the GLOBAL SETTINGS tab. Configuration for these various notification mechanisms is done under SYSTEM > ADVANCED on the firewall.

      5. Add new browse feature for captured files when the File Store option is enabled on the INTERFACE SETTINGS tab. The FILES tab allows you to browse the list of captured files, see basic info about each one, and by clicking an Info icon, you can submit the file's hash to one of several Internet malware checking sites.

      6. Add new GID:SID rule text lookup pop-up to the ALERTS tab.

      7. Add support for the latest upstream 6.0.3 version of the Suricata binary.

      8. For pfSense, the new Suricata binary is patched to allow multiple host stack netmap rings to be opened when the other end of the netmap connection exposes multiple RX/TX queues to netmap. This is applicable only to Inline IPS Mode operation. The suricata.log file for the interface will contain messages from the netmap subsystem indicating how many physical NIC and host stack rings are in use for Inline IPS Mode.

      Bug Fixes:

      1. GeoIP2 database download properly defaults to 'off' during a greenfield install.

      2. When saving Suppress and Pass Lists, there is no need to call mb_convert_encoding() for the description field ['desc'], because the config.xml code automatically wraps that field with CDATA tags.

      3. On INTERFACE SETTINGS tab, when enabling File Store in a greenfield install, the default filestore logging directory name is incomplete (missing the UUID portion).

      4. On GLOBAL SETTINGS tab, a cosmetic issue exists where ET-Pro Subscription Code field is not always hidden when ET-Pro Rules download is not enabled.

      5. Correct issues around initial selection and configuration of the first Suricata interface on a greenfield install on the INTERFACE SETTINGS tab.

      6. Reorder the EVE Log Info parameters on the INTERFACE SETTINGS tab to improve asthetics and usability.

      7. Host OS Policy on APP PARSERS tab always gets assigned to the first instance. Redmine Issue #6964.

      8. Resolve host via Reverse DNS looks shows IDN domains as punnycode. Redmine Issue #12293.

      Here are some screenshots of the new GUI features in action.

      ALERTS and BLOCKS tabs GeoIP Lookup Popup

      suricata_alert_geoip_lookup.png
      Clicking the Globe icon under an IP address launches the lookup.

      Email, Telegram, and Pushover Notification Messages

      suricata_notifications_settings.png

      The above is the GLOBAL SETTINGS tab section where notifications are enabled. It is at the bottom of the page. Here is sample notification message --

      suricata_notification_example.png

      FILES tab and new File Store captured files browser

      suricata_file_store_summary.png

      This is the new FILES summary tab showing the list of captured files. Clicking the blue Info icon on the right side of the row will launch the File Check page shown below.

      suricata_file_check_page.png

      GID:SID Rule Text Popup on ALERTS tab

      suricata_alert_gid_sid_popup.png

      You can now view the complete rule text for a GID:SID in a pop-up dialog from the ALERTS tab. Each GID:SID is now a hyperlink that opens the rule text pop-up.

      1 Reply Last reply Reply Quote 8
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.