Suricata update to the new 2.0.9 binary is coming soon



  • I have submitted a Pull Request for review by the pfSense team that will update Suricata to the latest 2.0.9 binary version.  The new update also fixes an older GUI issue and implements optional X-Forwarded-For logging for Unified2 output to Barnyard.  Details can be found in the Pull Request on Github: https://github.com/pfsense/pfsense-packages/pull/1148.  Once the request is reviewed and approved, a new Suricata version will show up under System > Packages > Installed Packages.

    An update to 2.9.7.6 for Snort is next on my TODO list.

    Bill



  • The update for Suricata has been merged and is now available for users to install.  The Suricata binary is now v2.0.9 and the GUI package is v2.1.9.

    Bill



  • This update seems to have broken my barnyard2/Snorby setup from Suricata.  Now when I try to start the barnyard2 service for an interface I get:

    Nov 11 08:57:53 barnyard2[93466]: Barnyard2 exiting
    Nov 11 08:57:53 barnyard2[93466]: FATAL ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mysql' support. If this build of barnyard2 was compiled by you, then re-run the the ./configure script using the '–with-mysql' switch. For non-standard installations of a database, the '--with-mysql=DIR' syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
    Nov 11 08:57:53 barnyard2[93466]: ERROR database: 'mysql' support is not compiled into this build of snort

    Has anyone else experienced this?



  • @nug:

    This update seems to have broken my barnyard2/Snorby setup from Suricata.  Now when I try to start the barnyard2 service for an interface I get:

    Nov 11 08:57:53 barnyard2[93466]: Barnyard2 exiting
    Nov 11 08:57:53 barnyard2[93466]: FATAL ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mysql' support. If this build of barnyard2 was compiled by you, then re-run the the ./configure script using the '–with-mysql' switch. For non-standard installations of a database, the '--with-mysql=DIR' syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
    Nov 11 08:57:53 barnyard2[93466]: ERROR database: 'mysql' support is not compiled into this build of snort

    Has anyone else experienced this?

    Oops!  I think I know what might be the problem, but I need to correspond with the pfSense developers who build the ports.  I believe some options knobs are being ignored during the build process.  One that that is specifically enabled is MySQL support in Barnyard2, but apparently it didn't actually get enabled.  I missed it during testing because I have temporarily shutdown my Snorby system and forgot to test the new PBI for MySQL connections.

    Let me have the pfSense team rebuild the PBIs for Suricata and see if that helps.

    Bill



  • Ah, cool.  Thanks for following up!



  • I got the exact same troubles with Barnyard2 and Snorby. I will follow the topic. For now I I will do a tail -f on some terminal to follow it up  :D



  • I posted a Pull Request yesterday with the fix and it was approved and merged.  It looks like the rebuild of the PBIs with the new MAKE options has not yet happened.  I will get with the pfSense team to see what's up.  You can look for new PBIs here:  https://files.pfsense.org/packages/10/All/.

    You would be looking for a suricata-2.0.9-*.pbi file (matching your architecture) with a build date of November 12, 2015 or later.

    Bill



  • Updated PBI binary packages have been posted for Suricata.  If you had problems with Barnyard2 and no MySQL support, try removing the Suricata package completely and then installing again.  You won't lose your settings so long as the "Keep Settings" checkbox on the GLOBAL tab is checked.

    Bill



  • Bang!  All done.  Thanks very much for this mate.

    Hey just a quick question..  Does Snorby end up going back and filling in the few days that were missing or is there a way I can force it to do that?  Suricata was still running during this time and has all of the alerts in the system.



  • @nug:

    Bang!  All done.  Thanks very much for this mate.

    Hey just a quick question..  Does Snorby end up going back and filling in the few days that were missing or is there a way I can force it to do that?  Suricata was still running during this time and has all of the alerts in the system.

    Barnyard2 should see the unified2 alert logs and start sending them over if they have not been auto-archived yet.  You might have to reset the place keeper by removing/resetting the waldo file.  You can probably find some more details on the web with a little searching.

    Bill


Log in to reply