Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 2.0.6 pkg v2.1.4 Release Notes (pfSense 2.2 only)

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      A bug fix update has been released for the Suricata package.  The update corrects three user reported bugs in the GUI code.

      Bug Fixes

      • On the INTERFACE SETTINGS tab, when EVE JSON output to syslog is enabled, then the "send alerts to system log" option must also be auto-enabled in order for syslog output to be properly initialized.

      • Multiple cron task entries are generated when editing the "rules update" and "remove blocked hosts" intervals on the GLOBAL SETTINGS tab.

      • In rare instances, a blank network and subnet string results in an invalid slash "/" character in a PASS LIST.

      Suricata users still on pfSense 2.1.x versions are strongly encouraged to upgrade to pfSense 2.2 so that the new Suricata 2.0.6 binary can be utilized.

      Bill

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        Just updated to latest version. Prior to that I was running Snort on the snort2c table and Suricata on virusprot table. Now it seems no matter what, Suricata won't use virusprot table but they are both using snort2c w/o confilct…

        Bill changed something ? ;)

        F.

        1 Reply Last reply Reply Quote 0
        • C
          Cino
          last edited by

          Snort and Suricata have always used the snort2c table. You can only enable 1 for blocking. Example, you can have Suricata for blocking and use Snort for Alerting if you like but it can't be set to blocking. Its not recommend to run both, but you can.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @fsansfil:

            Just updated to latest version. Prior to that I was running Snort on the snort2c table and Suricata on virusprot table. Now it seems no matter what, Suricata won't use virusprot table but they are both using snort2c w/o confilct…

            Bill changed something ? ;)

            F.

            No, did not change anything with regards to how Suricata uses the built-in constant for the <snort2c>table.  Remember, though, that with each update you will have to repeat that manual file edit process I posted in another thread.  The update will bring down the default code again and overwrite that edit you made to /usr/local/pkg/suricata/suricata_defs.inc.

            Bill</snort2c>

            1 Reply Last reply Reply Quote 0
            • C
              Cino
              last edited by

              I must have missed that post  :o

              https://forum.pfsense.org/index.php?topic=87437.msg485314#msg485314

              1 Reply Last reply Reply Quote 0
              • F
                fsansfil
                last edited by

                Yea…I forgot that I had to re/edit the file after an update...sorry about that.

                F.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @Cino:

                  I must have missed that post  :o

                  https://forum.pfsense.org/index.php?topic=87437.msg485314#msg485314

                  Thanks for finding that link for me.  I remembered posting it, but not where or when exactly … :-[

                  I did code Suricata so that a PHP constant was used to define the pf alias table used for blocking.  There are a handful of built-in alias tables the packet filter code in pfSense creates on boot, and these tables are way up earlier on in the packet processing chain so they get hit before any user-defined rules or tables.  The <snort2c>table was originally added to the built-in list for the Snort package.  That was done well before my time.  When I came along with the Suricata package and added the blocking mode, I knew we could not create a new built-in alias table in pfSense without waiting for a new release.  That also would have meant Suricata would not have worked on any prior release.  So to simplify and speed things along, I chose to use the existing <snort2c>table.  But to make it easy to change in the future, I coded that table in the PHP code as a constant that can be redefined easily in one file and then updated everywhere else instantly.

                  Because of the way I coded it, you can actually use any pf table you want to providing you manually edit the file as illustrated in that post.  However, it is best to use the built-in tables because they occur high up in the chain and can block bad traffic before any user rule can pass it.

                  Bill</snort2c></snort2c>

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by

                    Your welcome Bill! Good call on how you programmed this.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.