Suricata 2.0.3 Package Preview
-
One word Bill: FAAAAAAAAAAANTASTIC!!
-
One word Bill: FAAAAAAAAAAANTASTIC!!
Thanks! Also note that, except for the Suricata-specific application layer parsers, these same features will be coming to the Snort package. That means the ALERTS tab display filter and the ability to auto-manage SIDs with text configuration files.
Bill
-
Spent a good 10 minutes writing, deleting, re-writing and re-deleting this reply.
I'm speechless. Excellent work!
If only the pfsense devs dropped everything they do and approve the pull request immediately ;)
-
@jflsakfja:
If only the pfsense devs dropped everything they do and approve the pull request immediately ;)
Seriously? That's the behavior you desire?
While I think this is an interesting update, and I try to privately help Bill (ask him) get his changes I to pfSense quickly (as I do with any volunteer who does quality work), "drop everything" isn't the right path here.
-
Don't want to start a fight, but waiting a month for a pull request to be approved to a very important package (snort?) doesn't exactly put the fun in the package dev community. This particular update to this particular package contains a lot of necessary bugfixes, a LOT of requested functionality, and should be IMHO on the top of the pfsense's dev's todo list. Nobody will cry if pfsense is delayed a couple of weeks, but this package would make a lot of people cry (I personally can't see 4K hosts on the blocked tabs because I'm affected by a particular bug this fixes + I've spent a lot of time syncing configuration changes back and forth between systems (CARP sync is in this package).
And I haven't even touched on the conf files auto conf yet. Literally (and I'm not exaggerating a bit here) thousands of man hours will be saved by pfsense's users from this single feature.
My honest and humble opinion. Not an attack in any way, shape and/or form. Not trying to put down the amount of work the pfsense devs put into pfsense, I'm just saying that pfsense is actually extremely stable for the large majority of users out there. Since the majority wouldn't benefit from an upgrade to pfsense (other than bug fixes), that can hold off for a while.
EDIT:share?shape
-
Couldnt agree more.
@jflsakfja:
Don't want to start a fight, but waiting a month for a pull request to be approved to a very important package (snort?) doesn't exactly put the fun in the package dev community. This particular update to this particular package contains a lot of necessary bugfixes, a LOT of requested functionality, and should be IMHO on the top of the pfsense's dev's todo list. Nobody will cry if pfsense is delayed a couple of weeks, but this package would make a lot of people cry (I personally can't see 4K hosts on the blocked tabs because I'm affected by a particular bug this fixes + I've spent a lot of time syncing configuration changes back and forth between systems (CARP sync is in this package).
And I haven't even touched on the conf files auto conf yet. Literally (and I'm not exaggerating a bit here) thousands of man hours will be saved by pfsense's users from this single feature.
My honest and humble opinion. Not an attack in any way, share and/or form. Not trying to put down the amount of work the pfsense devs put into pfsense, I'm just saying that pfsense is actually extremely stable for the large majority of users out there. Since the majority wouldn't benefit from an upgrade to pfsense (other than bug fixes), that can hold off for a while.
-
Just for that, Brian, it's gone to the bottom of the pile.
-
Like your sense of humor :D
@gonzopancho:
Just for that, Brian, it's gone to the bottom of the pile.
-
Things are progressing well with the new package. I found a longstanding bug with IPv6 addresses in a PASS LIST this afternoon and fixed it. The problem was actually upstream in the Suricata binary and not within the pfSense GUI package. The bug is also present in 1.4.6. I've submitted the appropriate patch to the pfSense guys already so the binary packages for pfSense will be fixed, and will work on getting the patch into upstream as well.
I am getting support from the pfSense team even though they are terribly busy with their work on 2.2 and an upcoming security fix for 2.1.4, so I applaud them for that. Just please continue to be patient as final testing is completed and the pfSense developers jostle their work schedules to fit in the package review. There are a LOT of code changes in this update! I promise it's not vaporware… ;D
Bill
-
The new Suricata package update has been posted for the pfSense developers to review. You can follow the request here:
https://github.com/pfsense/pfsense-packages/pull/696
The notes at the top of the Pull Request show the changes.
One thing I suggest you do to get ready for the auto-SID management feature is to thoroughly review the documentation associated with the enablesid.conf, disablesid.conf and modifysid.conf files you can use with PulledPork or Oinkmaster. A little Google research should turn up several links and examples. Some kind users here on the forum may also be willing to share their files as examples. With the ability to upload these files to the firewall, it will also be possible for experienced users to share their SID management conf files with novices to help reduce the number of false positives and other issues less experienced users sometimes face with a powerful tool such as Suricata. Note that the new auto-SID management feature is disabled by default. You can enable the feature and upload or create the necessary conf files on the new SID MGMT tab.
Bill
-
I bow deeply for you, Lord Bill ;D
-
The new Suricata package update has been posted for the pfSense developers to review. You can follow the request here:
So everyone is aware, Bill thinks he's found a bug, and has asked us to hold off.
-
I can confirm the bug. My recommendation (if Bill agrees) is to go ahead and release the package, since the bug is there in the existing package anyway (and by the looks of it, it's upstream).
Just to be clear, the bug affect IPv6 deployments. There are workarounds, but no need to go through that if the fix is just round the corner. If the fix isn't around the corner though, having the new package is better than waiting for the fix, since the fix is unlikely to be backported to the old (current) package.
As i said, my recommendation is to go ahead with the package and just issue the warning for a known bug and the workarounds. One of the workarounds can be implemented using modifysid for example. My $0.02.
-
@jflsakfja:
I can confirm the bug. My recommendation (if Bill agrees) is to go ahead and release the package, since the bug is there in the existing package anyway (and by the looks of it, it's upstream).
Just to be clear, the bug affect IPv6 deployments. There are workarounds, but no need to go through that if the fix is just round the corner. If the fix isn't around the corner though, having the new package is better than waiting for the fix, since the fix is unlikely to be backported to the old (current) package.
As i said, my recommendation is to go ahead with the package and just issue the warning for a known bug and the workarounds. One of the workarounds can be implemented using modifysid for example. My $0.02.
Yes, the bug is in the IPv6 address parsing logic. It is present upstream and comes into play if you set $EXTERNAL_NET to the standard value of !$HOME_NET. It only impacts IPv6 traffic, but the impact is you don't get IPv6 alerts from rules where source or destination is $EXTERNAL_NET. A good many rules use this qualifier.
The Suricata source code around this functionality is quite complicated and IMHO not well commented. I have thus far been unable to locate the source of the problem. I think the best I can do is report this upstream. I want to conduct a little more testing, and then I will release the Pull Request for further review by the pfSense developers.
Bill
-
Oh c'mon people. We are crying where and you said hold off?? you are kidding right? Bill :P
-
@mais_um:
Oh c'mon people. We are crying where and you said hold off?? you are kidding right? Bill :P
Not kidding about the bug in IPv6 addresses when $EXTERNAL_NET is set to !$HOME_NET. If you set $EXTERNAL_NET to "any", then no problem except that causes a ton more alerts that are mostly false positives. This is because many rules are written to discriminate traffic based on $HOME_NET and $EXTERNAL_NET reflecting your true setup (where $HOME_NET represents only the networks your protecting, and $EXTERNAL_NET is everything else). If $EXTERNAL_NET is set to "any", then this rule paradigm is not true.
The Suricata and Snort packages have always used "$EXTERNAL_NET = !$HOME_NET" on pfSense as the defaults. So I have decided for now to not change those defaults and instead post a warning that IPv6 traffic will not always be correctly alerted on in Suricata until either I or the upstream Suricata guys can find out what's wrong in the binary.
Bill
-
You'll have to get Supermule to acknowledge that the bug isn't in pfSense, but is, rather, upstream. I don't want to have to hear his complaints.
-
I can also confirm this bug.. Hopefully it can be found but at least there is a workaround for now…
-
I can also confirm this bug.. Hopefully it can be found but at least there is a workaround for now…
I've sent a message to the Suricata team about it, but received no response yet. Also tagged onto a similar (if not possibly the same) issue posted on the Suricata Bug Tracker Redmine site.
I've released the package for review by the pfSense guys, but will continue looking for the bug in the binary. It's a complicated source code package, and it's a little tough to reverse engineer something in the first place, and as I mentioned previously, IMHO there is not a lot of commenting in the code explaining the functions or logic flow. So finding this bug is a challenge…but I do love a challenge... ;)
Bill
-
Thanks Bill! Looking forward to the new release