Is Suricata package updates blocked by an internal decision?
-
@NRgia said in Is Suricata package updates blocked by an internal decision?:
With your permission @bmeeks can I link your response to that reddit thread, to settle this down?
Sure. What I stated is my understanding and is how things have historically worked. I am not aware of any recent changes to the process.
I've sent an email to Netgate asking them to migrate the latest 6.0.11 Suricata package over to the 23.05 RELEASE branch.
-
I have pending Pull Requests with the Netgate team to update Suricata to the latest 6.0.12 version from upstream.
This should happen in the next day or two. I've asked for the update to be deployed to both the 2.7 CE and 23.09 Plus DEVEL Snapshot branches and the pfSense Plus 23.05 RELEASE branch.
The Pull Requests are here:
https://github.com/pfsense/FreeBSD-ports/pull/1264
https://github.com/pfsense/FreeBSD-ports/pull/1265Unfortunately the new Suricata package requires PHP 8.1 or higher and is thus not compatible with the 2.6.0 CE branch.
-
@bmeeks Thank you Bill
-
The Pull Requests I mentioned and linked in an earlier post above have been merged. Look for new package builds to appear after the next package build cycle.
I think those are now done perhaps once per day ???
-
@bmeeks said in Is Suricata package updates blocked by an internal decision?:
I have pending Pull Requests with the Netgate team to update Suricata to the latest 6.0.12 version from upstream.
This should happen in the next day or two. I've asked for the update to be deployed to both the 2.7 CE and 23.09 Plus DEVEL Snapshot branches and the pfSense Plus 23.05 RELEASE branch.
The Pull Requests are here:
https://github.com/pfsense/FreeBSD-ports/pull/1264
https://github.com/pfsense/FreeBSD-ports/pull/1265Unfortunately the new Suricata package requires PHP 8.1 or higher and is thus not compatible with the 2.6.0 CE branch.
Just installed them on 23.05, no issues. Thank you again
-
@bmeeks Question regarding the use of the Snort paid subscriber rules. This is an older image I just downloaded, but is there a way for Suricata to always use the current snapshot filename rather than having to enter the filename manually after Cisco/Talos updates it?
One thing I like about the Snort package is that you don't have to keep up with this. Thanks.
-
@DefenderLLC said in Is Suricata package updates blocked by an internal decision?:
@bmeeks Question regarding the use of the Snort paid subscriber rules. This is an older image I just downloaded, but is there a way for Suricata to always use the current snapshot filename rather than having to enter the filename manually after Cisco/Talos updates it?
One thing I like about the Snort package is that you don't have to keep up with this. Thanks.
No, how would Suricata know what the current Snort snapshot version is?
The Snort binary is locked to the rules version. You can't use a Snort rules snapshot file that has a different version than the Snort binary with Snort. So, Snort simply downloads the file that matches its internal binary version. That's how it always uses the most recent snapshot.
Suricata can't do that because it has no way to know what the current Snort snapshot version might be.
-
@bmeeks said in Is Suricata package updates blocked by an internal decision?:
@DefenderLLC said in Is Suricata package updates blocked by an internal decision?:
@bmeeks Question regarding the use of the Snort paid subscriber rules. This is an older image I just downloaded, but is there a way for Suricata to always use the current snapshot filename rather than having to enter the filename manually after Cisco/Talos updates it?
One thing I like about the Snort package is that you don't have to keep up with this. Thanks.
No, how would Suricata know what the current Snort snapshot version is?
The Snort binary is locked to the rules version. You can't use a Snort rules snapshot file that has a different version than the Snort binary with Snort. So, Snort simply downloads the file that matches its internal binary version. That's how it always uses the most recent snapshot.
Suricata can't do that because it has no way to know what the current Snort snapshot version might be.
Makes sense. Thanks for the quick response. I never made the connection of the snapshot version being tied to the binary version. I was thinking those were the daily/weekly updates. (facepalm).
I never really paid much attention to this when I briefly used Suricata before. I might just keep using Snort until they officially stop developing 2.9 like you mentioned yesterday. Thanks again.
-
@DefenderLLC said in Is Suricata package updates blocked by an internal decision?:
@bmeeks said in Is Suricata package updates blocked by an internal decision?:
@DefenderLLC said in Is Suricata package updates blocked by an internal decision?:
@bmeeks Question regarding the use of the Snort paid subscriber rules. This is an older image I just downloaded, but is there a way for Suricata to always use the current snapshot filename rather than having to enter the filename manually after Cisco/Talos updates it?
One thing I like about the Snort package is that you don't have to keep up with this. Thanks.
No, how would Suricata know what the current Snort snapshot version is?
The Snort binary is locked to the rules version. You can't use a Snort rules snapshot file that has a different version than the Snort binary with Snort. So, Snort simply downloads the file that matches its internal binary version. That's how it always uses the most recent snapshot.
Suricata can't do that because it has no way to know what the current Snort snapshot version might be.
Makes sense. Thanks for the quick response. I never made the connection of the snapshot version being tied to the binary version. I was thinking those were the daily/weekly updates. (facepalm).
I never really paid much attention to this when I briefly used Suricata before. I might just keep using Snort until they officially stop developing 2.9 like you mentioned yesterday. Thanks again.
It's pretty simple to keep the most current Snort rules with Suricata. Simply visit https://snort.org, log in with your account credentials, and check what the most recent 2.9.x snapshot file version is. It will only change when there is a major change to the Snort binary. For the 2.9.x branch, changes are down to maybe one per year (if that).
Here is a Sticky Post link I created sometime back describing the process: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated.
But note that when using Snort rules with Suricata it is normal for several of them to cause syntax errors and fail to load. Several hundred of the Snort VRT rules are incompatible with Suricata. But Suricata will simply print an error when loading those rules and skip them.
-
@bmeeks Thank you, Mr. Meeks.
