Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 6.0.4 Package Update - Release Notes

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Suricata-6.0.4

      This update to the Suricata package bumps the underlying binary version to the latest 6.0.4 version from upstream. It also brings the recent changes in the 6.0.3_4 package from the DEVEL snapshot branch into the RELEASE branch of both CE and pfSense Plus.

      Look for this update to appear a little later today. The Netgate team is performing a little work on their package builder system, and that will delay the actual package build a bit.

      For additional new features included in this package, see the Release Notes posted for the previous 6.0.3_4 update.

      New Features:

      1. DHCP, HTTP2, and MQTT default rules are added to the built-in rules package.

      Bug Fixes:

      1. Correct typo in checkbox variable name for HTTP2 EVE logging parameter.
      2. OpenVPN improvements. See https://redmine.pfsense.org/issues/12642. Contributed by @viktor_g.
      3. Suricata rule categories fix. Issue #12643. Contributed by @viktor_g.
      V 1 Reply Last reply Reply Quote 2
      • V
        Vollans @bmeeks
        last edited by

        @bmeeks upgrade failed.

        Loading package instructions...
        pkg-static: Fail to rename /var/db/suricata/sidmods/.pkgtemp.disablesid-sample.conf.bSBVY77jUgdY -> /var/db/suricata/sidmods/disablesid-sample.conf:No such file or directory
        Failed

        Any ideas?

        GertjanG bmeeksB N 3 Replies Last reply Reply Quote 0
        • GertjanG
          Gertjan @Vollans
          last edited by

          @vollans

          >>> Installing pfSense-pkg-suricata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	hiredis: 0.13.3 [pfSense]
	hyperscan: 5.4.0 [pfSense]
	jansson: 2.13.1 [pfSense]
	libnet: 1.1.6_5,1 [pfSense]
	libyaml: 0.2.5 [pfSense]
	nspr: 4.31 [pfSense]
	nss: 3.66 [pfSense]
	pfSense-pkg-suricata: 6.0.4 [pfSense]
	py38-yaml: 5.4.1 [pfSense]
	suricata: 6.0.4 [pfSense]

Number of packages to be installed: 10

The process will require 38 MiB more space.
7 MiB to be downloaded.
[1/10] Fetching pfSense-pkg-suricata-6.0.4.txz: .......... done
[2/10] Fetching suricata-6.0.4.txz: .......... done
[3/10] Fetching libyaml-0.2.5.txz: ......... done
[4/10] Fetching nss-3.66.txz: .......... done
[5/10] Fetching nspr-4.31.txz: .......... done
[6/10] Fetching libnet-1.1.6_5,1.txz: .......... done
[7/10] Fetching py38-yaml-5.4.1.txz: .......... done
[8/10] Fetching jansson-2.13.1.txz: ...... done
[9/10] Fetching hyperscan-5.4.0.txz: .......... done
[10/10] Fetching hiredis-0.13.3.txz: .......... done
Checking integrity... done (0 conflicting)
[1/10] Installing libyaml-0.2.5...
[1/10] Extracting libyaml-0.2.5: ......... done
[2/10] Installing nspr-4.31...
[2/10] Extracting nspr-4.31: .......... done
[3/10] Installing nss-3.66...
[3/10] Extracting nss-3.66: .......... done
[4/10] Installing libnet-1.1.6_5,1...
[4/10] Extracting libnet-1.1.6_5,1: .......... done
[5/10] Installing py38-yaml-5.4.1...
[5/10] Extracting py38-yaml-5.4.1: .......... done
[6/10] Installing jansson-2.13.1...
[6/10] Extracting jansson-2.13.1: .......... done
[7/10] Installing hyperscan-5.4.0...
[7/10] Extracting hyperscan-5.4.0: .......... done
[8/10] Installing hiredis-0.13.3...
[8/10] Extracting hiredis-0.13.3: .......... done
[9/10] Installing suricata-6.0.4...
[9/10] Extracting suricata-6.0.4: .......... done
[10/10] Installing pfSense-pkg-suricata-6.0.4...
[10/10] Extracting pfSense-pkg-suricata-6.0.4: .......... done
Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...   
  Setting up initial configuration.
  Setting package version in configuration file.
done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.
=====
Message from suricata-6.0.4:

--
If you want to run Suricata in IDS mode, add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_interface="<if>"

NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.

However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_divertport="8000"

NOTE:
	Suricata won't start in IDS mode without an interface configured.
	Therefore if you omit suricata_interface from rc.conf, FreeBSD's
	rc.d/suricata will automatically try to start Suricata in IPS Mode
	(on divert port 8000, by default).

Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
netmap(4) mode, add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_netmap="YES"

NOTE:
	Suricata requires additional interface settings in the configuration
	file to run in netmap(4) mode.

RULES: Suricata IDS/IPS Engine comes without rules by default. You should
add rules by yourself and set an updating strategy. To do so, please visit:

 http://www.openinfosecfoundation.org/documentation/rules.html
 http://www.openinfosecfoundation.org/documentation/emerging-threats.html

You may want to try BPF in zerocopy mode to test performance improvements:

	sysctl -w net.bpf.zerocopy_enable=1

Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
>>> Cleaning up cache... done.
Success

          No errors.

          @vollans said in Suricata 6.0.4 Package Update - Release Notes:

          Any ideas?

          Probably a download glitch or an issue with the file system. Reboot your pfSense and look closely if the file system isn't 'dirty' when FreeBSD boots.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          V 1 Reply Last reply Reply Quote 0
          • V
            Vollans @Gertjan
            last edited by

            @gertjan Nope, won’t upgrade. Had to uninstall and then reinstall to get it to work.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Vollans
              last edited by

              @vollans said in Suricata 6.0.4 Package Update - Release Notes:

              then reinstall to get it to work.

              That might be the reason : The name (category ?) of the package changed from DEVEL to RELEASE.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Vollans
                last edited by

                @vollans said in Suricata 6.0.4 Package Update - Release Notes:

                @bmeeks upgrade failed.

                Loading package instructions...
                pkg-static: Fail to rename /var/db/suricata/sidmods/.pkgtemp.disablesid-sample.conf.bSBVY77jUgdY -> /var/db/suricata/sidmods/disablesid-sample.conf:No such file or directory
                Failed

                Any ideas?

                This type of error has popped up randomly for some users over the years for lots of packages. Snort and Suricata are both victims of this at times. I've never had it happen to me during testing, and I test installs and upgrades a LOT on my virtual machines. Since I've never had it happen to me, I can't easily troubleshoot it.

                The error message seems to be something going on with the pkg utility itself as it is unpacking the software archive and copying files to their final destinations.

                The workaround is to simply remove the package and then reinstall it. You won't lose any settings doing that. And depending on exactly what changed in a given version update, removing and reinstalling might actually be the best path.

                1 Reply Last reply Reply Quote 0
                • N
                  NRgia @Vollans
                  last edited by NRgia

                  @vollans said in Suricata 6.0.4 Package Update - Release Notes:

                  @bmeeks upgrade failed.

                  Loading package instructions...
                  pkg-static: Fail to rename /var/db/suricata/sidmods/.pkgtemp.disablesid-sample.conf.bSBVY77jUgdY -> /var/db/suricata/sidmods/disablesid-sample.conf:No such file or directory
                  Failed

                  Any ideas?

                  Happened to me also. I uninstalled and reinstalled the package, no issues after that. Make sure you check "Keep Suricata Settings After Deinstall" option in order to not lose your config.

                  1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8
                    last edited by Bob.Dig

                    Here also. My problem was that I had unchecked that box before so I lost all my setting because I had to un- and reinstall, it wouldn't run anymore.
                    Anyways, I will have another look if suricata will block my LAN again. 😉

                    So far so good, although to early to say something definite. What has changed other then the Suricata version is that I don't run any snort rules anymore.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.