Suricata_2.1.9.1_7 – GUI Package Update and Bug Fixes
-
Another update has been posted for the Suricata Bootstrap GUI package. This update corrects a few more discovered bugs from the Bootstrap GUI conversion. Details of what was fixed can be found in the Pull Request commits here: https://github.com/pfsense/FreeBSD-ports/pull/69.
One new feature was added in this release. The configurable parameter max-synack-queued was added to the Flow/Stream tab. The default value of this parameter is 5, and that value should work for most users. If you are getting certain types of stream alerts, bumping this number up may help.
The problem of Suricata not auto-starting following an upgrade or package reinstall is hopefully fixed (fingers crossed … ;) ). At least it seemed to start reliably for me in testing.
The next big change coming to Suricata is an update of the binary piece to 3.0 to catch up with upstream. With the update to 3.0, pfSense 2.3 will then be ready to implement high-speed true inline IPS mode on supported network drivers (those that support Netmap). For those folks without Netmap supported network cards, Suricata will continue to offer the current operating mode (which will be known as Legacy Mode) whereby libpcap is used to grab copies of packets flowing through an interface for inspection. Packets triggering an alert will result in the offending IP address being added to the snort2c table in the packet filter to block further traffic from the offending IP address.
If you have a Netmap supported network card, the operation of Suricata will be quite different when inline IPS mode is activated. In this mode, all traffic will actually flow through the Suricata engine for inspection before it is passed on to the network stack. Offending traffic is then simply dropped (not passed on to the network stack). More information on this mode will be coming later when the option is ready for release. One thing that will be a major change with inline IPS mode operation is how the rule action keyword will matter. Today any alert results in a block via Legacy Mode operation. With inline IPS mode, only rules whose action keyword is "drop" will actually block packets. Rules whose action keyword is "alert" will simply log alerts and allow the offending traffic to pass. Note that the "as-shipped" default action for most of the rule vendors is "alert". So you will need to manually alter the rule actions to "drop" in order to block offenders.
Bill
-
Thanks for the update. I'm personally fairly excited about Suricata in inline mode. I can't wait to see that in action.
-
Is i350 network card supported for inline mode?
Will this work for snort or. only for suricata?
Thanks
-
Is i350 network card supported for inline mode?
Will this work for snort or. only for suricata?
Thanks
I don't know about support in specific cards. I have not researched it.
For now it will only work in Suricata.
Bill
-
Supported devices are listed here, I assume: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html
-
Yeh
"_netmap natively supports the following devices:
On FreeBSD: em(4), igb(4), ixgbe(4), lem(4), re(4).
On Linux e1000(4), e1000e(4), igb(4), ixgbe(4), mlx4(4), forcedeth(4),
r8169(4).NICs without native support can still be used in netmap mode through emu-
lation. Performance is inferior to native netmap mode but still signifi-
cantly higher than sockets, and approaching that of in-kernel solutions
such as Linux's pktgen.Emulation is also available for devices with native netmap support, which
can be used for testing or performance comparison. The sysctl variable
dev.netmap.admode globally controls how netmap mode is implemented._"Source: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES
-
Great! It looks like I will need to switch to Suricata from SNORT prior to upgrading to 2.3, currently still using 2.2.6
-
Hi. Bug alert!
After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is in the middle the (i) counter resets, i think. Attachment added.
Best regards,
Raul
 -
@mais_um:
Hi. Bug alert!
After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is in the middle the (i) counter resets, i think. Attachment added.
Best regards,
Raul
That is certainly not by design … :(. I will add it to my next set of fixes. There is another issue with auto-managed rules not being tagged correctly on the RULES tab and a problem with downloading the IQRisks IP Reputation file (for those with a subscription to that service). I'm working on these bugs, too.
Edit: found the problem. It was a simple fix. The string used to hold the HTML as it is assembled for display was using a concatenation operator in a part of the code where it should not have been. The fix will be in the next update.
Bill
-
@mais_um:
Hi. Bug alert!
After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is in the middle the (i) counter resets, i think. Attachment added.
Best regards,
Raul
Look for an update to become available soon with the fix for this and some other issues. Here is the pull request: https://github.com/pfsense/FreeBSD-ports/pull/85.
Bill
-
Latest Suricata bug fix is now available for download. Here is what the pfSense-pkg-suricata 3.0_2 package update addresses.
Bug Fixes
-
Rules auto-managed by SID MGMT tab files are not tagged correctly on the RULES tab.
-
IQRisk IP Reputation files not downloading for users with subscription code.
-
Icons indicating rule GID:SID added to Supress Lists get duplicated when IPs are the same on ALERTS tab.
-
Snort VRT rules checkboxes not auto-disabled when IPS-Policy is selected on CATEGORIES tab.
-
PCRE selection of SIDs not working correctly for auto-SID management.
Known Limitations:
At the moment, if you try select a Snort VRT IPS Policy and try to view all the rules selected by the policy on the RULES tab, you will crash the PHP process for the Suricata GUI and get a blank browser screen. This happens because the large IPS Policy rule set for the "Balanced" or "Security" policies exhausts the maximum PHP memory pool allowed by current pfSense settings. A solution for that is being looked into by the pfSense developers. In the interim, do not attempt to view an IPS Policy rule set on the RULES tab. Note that although doing so will crash the PHP process showing you the RULES tab page, it won't impact the firewall operation and will not crash the Suricata binary. It just crashes the individual process that was attempting to display the rules.Bill
-
