Suricata 1.4.6 pkg v1.0.2 – Update Release Notes
-
Suricata 1.4.6 pkg v1.0.2
This update for the Suricata package fixes five bugs and adds one new feature.
Bug Fixes:
1. Saved changes to auto-refresh parameters on the ALERTS tab are not reflected in the GUI display.
2. Suricata will install but not startup on pfSense 2.2 snapshot systems.
3. Call-time pass-by-reference is now deprecated in PHP 5.5 used on pfSense 2.2 installs.
4. Security vulnerability exists in LOGS BROWSER tab code.
5. Barnyard2 sensor name parameter defaults back to hostname when user sets it to blank.
New Features:
1. The ability to create a new Suricata interface instance by "duplicating" an existing instance is now available. This feature allows an admin to duplicate the settings for an existing interface over to a new Suricata instance on a different physical interface. All settings are duplicated with the exception of: (1) the interface name, (2) the interface description, (3) the Home Net, External Net, Pass List and Suppress List values. The Home Net, External Net, Pass List and Suppress List values for the new instance are set to "default". The "duplicate" feature is activated by clicking the plus (+) icon next to the desired "source" instance.
-
Great Job Bill,
When do you think we can expect the next Snort Package release?
-
@BBcan17:
Great Job Bill,
When do you think we can expect the next Snort Package release?
It's posted for review. The Core Team guys were busy with BSDCan stuff recently, but I think they are all back to work now. I'm hoping this week, but I am at the mercy of the team to review and merge… ;)
As soon as the posted update is approved and merged, I will get the Snort binary updated to 2.9.6.1. That version is now posted on Freshports. After that, I will be working on moving Suricata to the 2.0 binary code tree.
Bill
-
Hopefully they all didn't end up at the post-conf party… wont see much till the week after? :)
I noticed that I can't sort some of the Alerts Page Columns in the existing Snort and the new Suricata Pakage. I tried it in Chrome and IE10.
(These can be sorted)
Date Pri Proto Class(These cannot be sorted)
Src SPort Dst DPort SID Desription -
@BBcan17:
Hopefully they all didn't end up at the post-conf party… wont see much till the week after? :)
I noticed that I can't sort some of the Alerts Page Columns in the existing Snort and the new Suricata Pakage. I tried it in Chrome and IE10.
(These can be sorted)
Date Pri Proto Class(These cannot be sorted)
Src SPort Dst DPort SID DesriptionI don't know at the moment what's wrong. Nothing changed in the package code. Looks like something changed with the CSS in pfSense itself maybe. Not sure. I will research deeper. I validated the behavior as you described. This simply uses a pre-defined CSS class. For the columns you mentioned that no longer sort, a custom key is used. That has not changed, but apparently the way it is interpreted by the CSS in the latest pfSense updates has changed. I have a 2.0.3 VM I just tested in, and the exact same Snort GUI code works there just fine (sorts all the columns properly).
Bill
-
Hi Bill, firstly great job.
And would like to ask if the PPPoE issue still ongoing in Suricata?
-
@val:
Hi Bill, firstly great job.
And would like to ask if the PPPoE issue still ongoing in Suricata?
The underlying binary is unchanged for this release, so yeah it probably still won't recognize the interface type. I am working now on moving to the 2.0 code branch for the Suricata binary. Maybe that will work better with a PPPoE interface.
Bill
-
@val:
Hi Bill, firstly great job.
And would like to ask if the PPPoE issue still ongoing in Suricata?
The underlying binary is unchanged for this release, so yeah it probably still won't recognize the interface type. I am working now on moving to the 2.0 code branch for the Suricata binary. Maybe that will work better with a PPPoE interface.
Bill
Righto, Thanks, I will keep an eye out once you updated the underlying binary and I will test it again.
Once again, thank you very much.
-
Started testing suricata, already found a bug.
Interface variables for ports, do not allow ports to be entered, with an error of "Only aliases are allowed"HTTP_PORTS box contains (without quotes): "80,443"
When saving, the above mentioned error is shown.
Edit:
Interface variables, add FTP_SERVERS
Interface variables, add SSH_SERVERS
add option to change the syslog facility
blocked tabs does not update on new alerts, host shown as blocked on the alerts tab. On that note, where is the suricata blocked hosts table???had to restart the box, ok now
automatically generated Pass List not recognizing IPv6 addresses
in edit rules tab, the icons do not behave as expected. disabling a user enabled rule, makes it red (normal or faded, depending on how upstream handles it), which means if upstream enables it/changes it, it could start generating false positives. Clicking the disable button on the >ALERTS< tab though, behaves correctly, the icon is faded yellow (user disabled). I noticed this a couple of months back in snort also, it makes it very hard to permanently disable rules from the rule edit tab.Feature request: sync to CARP slave
-
I think the error means you need to create an "alias" with those ports listed, and than add the "alias" to the Suricata variables boxes. This is similar to Snort variables.
So don't try to directly enter the ports in the variable boxes.
-
Assign a variable to a variable? that's counterintuitive. It needs to behave the same way as the hosts variables above it.
-
Have to keep you on your toes!! :)
I agree, but that's how it works…
-
Here's a screenshot from snort, I'm already on my toes, don't need any more anxiety by switching over :P
insert Jobs speech "You can change it!"
They need to accept both aliases and values in those fields, it would make setting it up easier.
Notes on screenshot: 28days removal, almost no false positives, based on custom rules. I do believe I hold the forum record for most hosts blocked by snort, but then again I broke the snort package by enabling too many rules ;D
-
@jflsakfja:
Assign a variable to a variable? that's counterintuitive. It needs to behave the same way as the hosts variables above it.
This is in keeping with the pfSense overall philosophy. I have mentioned this analogy before, but many of the big "commercial pay" firewalls follow the same idea. Checkpoint is one I am quite familiar with as I managed those for many years. They use "objects" instead of "aliases", but the concept and operation is exactly the same.
If you approach this with an open mind and think about the entire firewall configuration, it can actually make quite good sense. Suppose you have a web server farm and use the standard 80 and 443 ports and maybe one non-standard port for something. You would want your firewall and Snort or Suricata rules to match up with respect to inspecting those ports. You could manually enter port numbers, but then as your rules get more complex you can easily make a change in one place and forget it in two others. With an alias, you sort of can't make that error. You create the alias with the ports, then use that alias in all places where port numbers are required. If you need to change a port 2 years from now, you edit the alias and the new port is correct everywhere… :D
When I first started using Checkpoint products I felt like you did -- just let me enter a physical port number. But as I gained experience and starting creating and managing much more complicated rule sets, I began to appreciate the real power of "objects in Checkpoint" or "aliases in pfSense". Don't forget that starting in 2.0 of pfSense you can nest aliases. This can be helpful in some situations.
Bill
-
This is in keeping with the pfSense overall philosophy. I have mentioned this analogy before, but many of the big "commercial pay" firewalls follow the same idea. Checkpoint is one I am quite familiar with as I managed those for many years. They use "objects" instead of "aliases", but the concept and operation is exactly the same.
If you approach this with an open mind and think about the entire firewall configuration, it can actually make quite good sense. Suppose you have a web server farm and use the standard 80 and 443 ports and maybe one non-standard port for something. You would want your firewall and Snort or Suricata rules to match up with respect to inspecting those ports. You could manually enter port numbers, but then as your rules get more complex you can easily make a change in one place and forget it in two others. With an alias, you sort of can't make that error. You create the alias with the ports, then use that alias in all places where port numbers are required. If you need to change a port 2 years from now, you edit the alias and the new port is correct everywhere… :D
When I first started using Checkpoint products I felt like you did -- just let me enter a physical port number. But as I gained experience and starting creating and managing much more complicated rule sets, I began to appreciate the real power of "objects in Checkpoint" or "aliases in pfSense". Don't forget that starting in 2.0 of pfSense you can nest aliases. This can be helpful in some situations.
Bill
If you can't beat them, join them ;D
I'll try it out and see how it works. Bill, have you seen my other post above? Those need fixing -
@jflsakfja:
This is in keeping with the pfSense overall philosophy. I have mentioned this analogy before, but many of the big "commercial pay" firewalls follow the same idea. Checkpoint is one I am quite familiar with as I managed those for many years. They use "objects" instead of "aliases", but the concept and operation is exactly the same.
If you approach this with an open mind and think about the entire firewall configuration, it can actually make quite good sense. Suppose you have a web server farm and use the standard 80 and 443 ports and maybe one non-standard port for something. You would want your firewall and Snort or Suricata rules to match up with respect to inspecting those ports. You could manually enter port numbers, but then as your rules get more complex you can easily make a change in one place and forget it in two others. With an alias, you sort of can't make that error. You create the alias with the ports, then use that alias in all places where port numbers are required. If you need to change a port 2 years from now, you edit the alias and the new port is correct everywhere… :D
When I first started using Checkpoint products I felt like you did -- just let me enter a physical port number. But as I gained experience and starting creating and managing much more complicated rule sets, I began to appreciate the real power of "objects in Checkpoint" or "aliases in pfSense". Don't forget that starting in 2.0 of pfSense you can nest aliases. This can be helpful in some situations.
Bill
If you can't beat them, join them ;D
I'll try it out and see how it works. Bill, have you seen my other post above? Those need fixingYes, I saw the other reports. I will take a look. I have a really hard (well, almost impossible) time testing IPv6 stuff because my ISP does not provide or allow it. Anything I do has to all be whatever VMware can emulate/simulate.
Which syslog do you want to change the facility for? The alerts output option or the general Suricata operations logging to syslog? There is an option for changing the syslog facility if you use the Barnyard2 output plugin.
The thing with the forced enable/disable icons was done as part of fixing it so you could revert back to "default" for a particular rule. Previously you only had the option of "forcing it on" or "forcing it off". You could never click back around to just the default state. If you have a rule "forced", it will stay in whatever state you selected because it stores that SID info in the config.xml file.
Bill
-
Ideally I would like to change both syslog facilities. The auth facility used by suricata now is miles from being relevant to it. It's for logins and elevating user priviledges, not an IDS/IPS. I believe that's for the alerts. I think I saw local5 mentioned somewhere, that could be for the daemon part of suricata, which should be…well... daemon.
If a rule is default enabled (red), clicking it sets it to user disabled (pale yellow). Enabling all the rules though, and then clicking a particular rule does not set it to pale yellow, but what ever the default was. If I misunderstood something, please correct me.
-
@jflsakfja:
Ideally I would like to change both syslog facilities. The auth facility used by suricata now is miles from being relevant to it. It's for logins and elevating user priviledges, not an IDS/IPS. I believe that's for the alerts. I think I saw local5 mentioned somewhere, that could be for the daemon part of suricata, which should be…well... daemon.
If a rule is default enabled (red), clicking it sets it to user disabled (pale yellow). Enabling all the rules though, and then clicking a particular rule does not set it to pale yellow, but what ever the default was. If I misunderstood something, please correct me.
I need to go back and look at how things are configured in pfSense, but off the top of my head I seem to remember that only AUTH facility messages would wind up in the system log. Other facilities are hard-coded directed to some other files if I recall. I can allow the Suricata facility to be anything (both alerts and general output are configurable), but only certain settings will actually cause the messages to show up in the system log on pfSense. I chose the defaults the way I did simply to insure the output showed up in the system log on pfSense in the expected file. If you really want custom facility outputs, I suggest using the Barnyard2 output options and feed the data to a remote syslog server.
I see what you mean about the rule icon colors. As I mentioned, the idea is to now "default" the rule back when clicked a second time. So if the rule is default disabled (pale red) and you click it, then it is forced to enabled and turns yellow. If it was forced "enabled" and you click it a second time, it reverts to its default state (that is, any "forced state" is simply removed). I have been thinking about the best way to incorporate the functionality of enablesid, disablesid and modifysid into the package (like Pulled Pork and some other third-party tools do). That would solve your problem of wanting to make sure a rule stays "always disabled".
Bill
-
I have a really hard (well, almost impossible) time testing IPv6 stuff because my ISP does not provide or allow it. Anything I do has to all be whatever VMware can emulate/simulate.
You could use an IPv6 Tunnel Broker like HE.NET. I've started to use them ever since IPv6 was added to pfSense testing.
-
I need to go back and look at how things are configured in pfSense, but off the top of my head I seem to remember that only AUTH facility messages would wind up in the system log. Other facilities are hard-coded directed to some other files if I recall. I can allow the Suricata facility to be anything (both alerts and general output are configurable), but only certain settings will actually cause the messages to show up in the system log on pfSense. I chose the defaults the way I did simply to insure the output showed up in the system log on pfSense in the expected file. If you really want custom facility outputs, I suggest using the Barnyard2 output options and feed the data to a remote syslog server.
I've been using snort with local0 for a few years now (added via advanced options) and the logs showed up both on the pfsense log page, and the remote syslog.
As it stands now, the logs do get sent to the remote syslog, but they are tagged with the wrong facility (auth). On the remote syslog I can just direct them based on their tags, but it's not ideal. As I said, the auth facility should be used for logging user logins/logouts/users elevating priviledges through sudo (for example). Barnyard2 shouldn't be necessary, since the logs are already pushed to syslog, but just tagged wrongly.
WRT IPv6, I too highly recommend HE.net's tunnel service. It provides everything you need to experiment with IPv6.