Look for new Suricata 7.0.2 package update coming soon

bmeeks

I've created an update for the Suricata package that is posted for review by the Netgate developer team. I'm hoping the new package shows up for all pfSense CE and pfSense Plus users in the near future.

Here are the Release Notes:

Suricata -7.0.2

This updates the Suricata GUI package to support the latest 7.0.2 binary from upstream. Here is a link to the most notable updates to the binary: https://redmine.openinfosecfoundation.org/versions/198. The GUI package update contains one feature enhancement and two bug fixes.

New Features:

1. Added new EVE JSON logging option to log Ethernet headers (MAC addresses) from a packet when available. See Redmine Issue 14954.

Bug Fixes:

1. Fix Redmine Issue 14955 - Fatal PHP error generated when attempting to create an EventTime object from an invalid line of text read from the alerts.log or blocks.log files.
2. Fix Redmine Issue 14956 - Suricata GUI generates invalid syslog priority values in suricata.yaml file for some drop-down list values.

jpgpi250

@bmeeks

thanks for this, upgraded without problems

Q: I'm still uninstalling the older version, than installing the latest version. Is this still recommended?

this new version solves my problem, read here.

They can now be selectively disabled in interfaces // XXX interface // checkboxes under ruleset: default rules

bmeeks

@jpgpi250 said in Look for new Suricata 7.0.2 package update coming soon:

I'm still uninstalling the older version, than installing the latest version. Is this still recommended?

This is guaranteed to be the most reliable way of updating. It depends on whether a given update modifies the file /usr/local/pkg/suricata/suricata.inc or not. That include file is referenced in every other PHP source code file for the package because it includes a ton of shared functions. PHP will cache that file once it loads it. That means if a newer version is laid down during an install the currently running PHP process doing the package install/update will not "see it". It's a bit complicated to fully explain, but the upshot is if a new function was added, or else an existing one modified, in the snort.inc file coming in with a package update; the running install process updating the package with the code won't see the updated suricata.inc file.

That can lead to install failures.

Removing the package first deletes ALL the source code files and then reinstalls the new ones from the updated package tarball. That guarantees the newest version of suricata.inc or any other source file is present on the filesystem before the Suricata package post-install code executes. That post-install code is what reads your existing configuration, rebuilds the Suricata config files, and then launches the Suricata daemon on your configured interfaces. And it's that post-install code that can be handed the incorrect "cached version" of suricata.inc if that file has been changed in the new version.

I try to remember and explicitly note when a remove and reinstall is required in any package update release notes I post.

drewsaur

@bmeeks is it OK to do this while on 23.05 before I update to 23.09?

Drew

bmeeks

@drewsaur said in Look for new Suricata 7.0.2 package update coming soon:

@bmeeks is it OK to do this while on 23.05 before I update to 23.09?

Drew

Absolutely not!!!!

How many times have us pfSense veterans said here on the forum to Never Ever Never update packages when there is a posted update for pfSense itself and you have not yet updated pfSense on the box. Updating any package in that scenario results in pulling down updated shared libraries and risks totally breaking pfSense because the new shared libraries are likely compiled for a different kernel version and may also have changed runtime dependencies.

That warning is all over these forums. And sadly, so are the posts of folks who failed to follow that rule and are asking why their firewall is then broken . The Netgate developer team has tried to install some guardrails to help prevent users falling off this cliff, but due to the way pkg works in FreeBSD there is no 100% foolproof set of guardrails yet. Users still can shoot both feet off by updating a package when a pfSense update is available and they have not yet installed the pfSense update.

Always first go to the main Dashboard page and see if any pfSense update is shown as available. If so, never install any new nor update any existing packages until you have first installed the pfSense update.

drewsaur

@bmeeks Yes, that is precisely why I asked. So...what is the proper order of events?

1. Remove suricata package, then update and install new package?
2. Update, remove suricata package, then install new package?

Thank you!

Drew

bmeeks

@drewsaur said in Look for new Suricata 7.0.2 package update coming soon:

So...what is the proper order of events?

Exactly what I said --

1. Update pfSense itself first. So, that means update to 23.09 before you pass Go and even before you collect the $200 (old Monopoly game reference ).

2. After the firewall has rebooted from the pfSense update, give it some time. It will probably update all of your installed packages automatically. This can take a bunch of minutes, so be patient. Looking at the system log under STATUS > SYSTEM LOGS you can follow any package update progress.

3. If, after waiting at least an hour and you find Suricata is still not updated, then you can update it manually under SYSTEM > PACKAGE MANAGER.

4. For this particular package update, it is not critical to first uninstall the package, but you certainly can if you wish. When I am testing package updates in my test virtual machine environment, I usually uninstall the package and then reinstall it.

drewsaur

@bmeeks OK, #4 was what I've been most curious about. I am sorry I wasn't clearer. At one point in the past, I upgraded pfSense, which installed a new Suricata package, then had issues after upgrading that required me to ununstall/reinstall Suricata, so I was thinking that maybe I should do that...proactively if that is the right word.

On top of that, since there was an assertion up above that it's never a bad thing to remove Suricata before installing a major update to it — and I would like to have the smoothest upgrade experience possible — I was really wondering if I should uninstall Suricata, upgrade to 23.09, then reinstall Suricata.

But if you don't recommend that, I will do the usual. Thanks again!

drewsaur

@bmeeks Upgrade done lazily, with no issues whatsoever. Literally the smoothest pfSense upgrade I have ever done.