Suricata 2.0.6 pkg v2.1.4 Release Notes (pfSense 2.2 only)
-
A bug fix update has been released for the Suricata package. The update corrects three user reported bugs in the GUI code.
Bug Fixes
-
On the INTERFACE SETTINGS tab, when EVE JSON output to syslog is enabled, then the "send alerts to system log" option must also be auto-enabled in order for syslog output to be properly initialized.
-
Multiple cron task entries are generated when editing the "rules update" and "remove blocked hosts" intervals on the GLOBAL SETTINGS tab.
-
In rare instances, a blank network and subnet string results in an invalid slash "/" character in a PASS LIST.
Suricata users still on pfSense 2.1.x versions are strongly encouraged to upgrade to pfSense 2.2 so that the new Suricata 2.0.6 binary can be utilized.
Bill
-
-
Just updated to latest version. Prior to that I was running Snort on the snort2c table and Suricata on virusprot table. Now it seems no matter what, Suricata won't use virusprot table but they are both using snort2c w/o confilct…
Bill changed something ? ;)
F.
-
Snort and Suricata have always used the snort2c table. You can only enable 1 for blocking. Example, you can have Suricata for blocking and use Snort for Alerting if you like but it can't be set to blocking. Its not recommend to run both, but you can.
-
Just updated to latest version. Prior to that I was running Snort on the snort2c table and Suricata on virusprot table. Now it seems no matter what, Suricata won't use virusprot table but they are both using snort2c w/o confilct…
Bill changed something ? ;)
F.
No, did not change anything with regards to how Suricata uses the built-in constant for the <snort2c>table. Remember, though, that with each update you will have to repeat that manual file edit process I posted in another thread. The update will bring down the default code again and overwrite that edit you made to /usr/local/pkg/suricata/suricata_defs.inc.
Bill</snort2c>
-
I must have missed that post :o
https://forum.pfsense.org/index.php?topic=87437.msg485314#msg485314
-
Yea…I forgot that I had to re/edit the file after an update...sorry about that.
F.
-
I must have missed that post :o
https://forum.pfsense.org/index.php?topic=87437.msg485314#msg485314
Thanks for finding that link for me. I remembered posting it, but not where or when exactly … :-[
I did code Suricata so that a PHP constant was used to define the pf alias table used for blocking. There are a handful of built-in alias tables the packet filter code in pfSense creates on boot, and these tables are way up earlier on in the packet processing chain so they get hit before any user-defined rules or tables. The <snort2c>table was originally added to the built-in list for the Snort package. That was done well before my time. When I came along with the Suricata package and added the blocking mode, I knew we could not create a new built-in alias table in pfSense without waiting for a new release. That also would have meant Suricata would not have worked on any prior release. So to simplify and speed things along, I chose to use the existing <snort2c>table. But to make it easy to change in the future, I coded that table in the PHP code as a constant that can be redefined easily in one file and then updated everywhere else instantly.
Because of the way I coded it, you can actually use any pf table you want to providing you manually edit the file as illustrated in that post. However, it is best to use the built-in tables because they occur high up in the chain and can block bad traffic before any user rule can pass it.
Bill</snort2c></snort2c>
-
Your welcome Bill! Good call on how you programmed this.