Suricata v7
-
I've seen some news that Suricata v7 was released recently. I know it's going to take time before it's implemented in pfSense but wasn't sure if there might be a rough timeline already or not.
-
No specific timeline exists. There are some significant changes to a few defaults in Suricata 7. Those changes will likely require some updates within the PHP GUI on pfSense, so it's not as easy to rollout v7.0 as it is to rollout minor version upgrades to the Suricata binary.
-
I've posted a Suricata 7.0.0 package update for the DEVELOPMENT Snapshot testing branch. For the moment that branch and its packages are not showing updates because they have been temporarily disabled while the pfSense developer team is completing some internal testing on the new pfSense development branch. Once their initial testing is done, the package repo system will be enabled and the new Suricata 7.0.0 package will show as available for DEVELOPMENT Snapshot users/testers. After a time in the testing branch, the 7.0.0 package will be ported to the RELEASE branches of pfSense CE and Plus.
Release notes for the new package are in this thread: https://forum.netgate.com/topic/182134/suricata-7-0-0-package-update-for-devel-snapshots-release-notes.
-
@bmeeks Do Suricata 7.0.0 package have zip files support ?
-
@yorke said in Suricata v7:
@bmeeks Do Suricata 7.0.0 package have zip files support ?
Can you be more specific with your question? What kind of zip files support are you asking about?
-
@bmeeks the pcaps capability being expanded is really exciting. Maybe not in this release but in a future release can a GUI option be made to view pcaps or at least downloaded from the gui
-
Any Suricata users out there running this new 7.0.0 version in the pfSense snapshots branch? If so, I am interested in any feedback you have. Contemplating when the package is ready to rollout for the RELEASE branches of pfSense CE and pfSense Plus.
-
@bmeeks zip file support under Extra rules.
The following input errors were detected:
.zip is not valid rules or tar.gz rules archive. -
@yorke said in Suricata v7:
@bmeeks zip file support under Extra rules.
The following input errors were detected:
.zip is not valid rules or tar.gz rules archive.I did not write the portion of the GUI package that supports Extra rules. That code was submitted by another developer. I see that he included specific checks for the rules archive format and basically allows only two forms: (1) cleartext files with the
*.rulesextension, and (2)*.tar.gzwhich are gzipped tar files.Likely this is because the
tarutility is used to unpack thetar.gzfiles. On every site I've seen that offers Suricata rules packages, they offered both ZIP format for Windows and tar.gz format (or the plain *.rules format) for FreeBSD/Linux systems. -
Is Suricata v7 available in 23.09 RC?
-
@pfsjap said in Suricata v7:
Is Suricata v7 available in 23.09 RC?
Yes, the package in that branch should be 7.0.0_2 if I recall correctly.
The most recent release from upstream is 7.0.2, but I don't believe that update has landed in FreeBSD ports just yet (but it's been a week or so since I last checked).
I do not have a pfSense Plus test environment, so I can't verify at the moment what Suricata package version is showing. But I do know that I submitted the pull request for the last update and that was for 7.0.0_2.
-
@bmeeks Can confirm that 7.0.0_2 shows up for my plus box
-
@bmeeks Thanks, had it still been Suricata v6, I would have waited for 23.09 release, but now I'll try the RC.
Suricata version in 23.05.1 has a problem with Run Mode. If I set Run Mode to Workers for both of the LAN interfaces configured, then one of them keeps logging "SURICATA STREAM pkt seen on wrong thread". Setting only one interface to Workers is ok.
-
Seems like v7 has the same problem and one interface has to be set to Run Mode = AutoFP.
-
@pfsjap said in Suricata v7:
@bmeeks Thanks, had it still been Suricata v6, I would have waited for 23.09 release, but now I'll try the RC.
Suricata version in 23.05.1 has a problem with Run Mode. If I set Run Mode to Workers for both of the LAN interfaces configured, then one of them keeps logging "SURICATA STREAM pkt seen on wrong thread". Setting only one interface to Workers is ok.
This is a recurring issue that has existed through several Suricata major versions. The upstream team has worked on several fixes, but so far as I can tell they have not been able to fully eliminate the issue. I think one reason for that is that the root cause has not firmly identified. There are theories, but apparently none are 100% correct as all the fixes based on the theories have not proven 100% effective.
Workers Mode aligns the threading engine differently than AutoFP Mode. In Workers a given thread handles a packet from acquisition through decoding/detection and then to verdict (alert, drop, pass, etc.). In AutoFP Mode packet acquisition and processing are separated. There is a queue of threads for acquiring packets and handing them off to a separate queue of threads for the decode/detect/verdict processing.
