Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Package v2.1.9 Update - Release Notes

    IDS/IPS
    1
    1
    813
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Suricata 2.0.9 pkg v2.1.9

      This updates the Suricata GUI package to v2.1.9 and the binary PBI package to v2.0.9. The Change Log for Suricata 2.0.9 is here:  http://suricata-ids.org/2015/09/25/suricata-2-0-9-available/. In addition to the upstream changes, the custom alert-pf blocking module sports a new automatic whitelisting feature for all firewall interface IP addresses. During initialization of the alert-pf module, an interface monitoring thread is started to subscribe to and monitor FreeBSD kernel routing messages for changes to interface IP addresses. An internal in-memory whitelist is maintained of all firewall interface IP addresses to prevent blocking of interface IP addresses. This feature is particularly helpful to users with frequently changing WAN IP addresses. Information about auto-whitelisted IP addresses is logged to the suricata.log file which can be viewed from the LOGS VIEW tab in the GUI.

      The GUI package update includes one bug fix and one new feature as described below.

      New Features
      1.  Added X-Forwarded-For option settings for Unified2 logging on the BARNYARD tab. These new settings enable support for HTTP X-Forwarded-For IP addresses.

      Bug Fixes
      1.  Increase STREAM MEMORY CAP default setting to 64 MB (from 32 MB) to prevent memory allocation errors during startup. See Forum post here: https://forum.pfsense.org/index.php?topic=93926.msg521334#msg521334.  This setting may still need increasing for some users with high-core count CPUs or multiple CPUs.  The actual formula used by Suricata for this setting and additional info from impacted users can be found in the linked thread.  The new higher default setting should work for the majority of users.  If Suricata fails to start and throws a memory allocation error in the suricata.log, then first try bumping up this value in 4MB chunks.  The setting can be found on the FLOW/STREAM tab for a Suricata interface.  NOTE:  There is no reason to alter your current setting if you are not experiencing a startup failure coincident with a memory allocation error.

      Bill

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.