Suricata_2.1.9.1_7 – GUI Package Update and Bug Fixes

AsgardianFW

Thanks for the update.  I'm personally fairly excited about Suricata in inline mode.  I can't wait to see that in action.

simby

Is i350 network card supported for inline mode?

Will this work for snort or. only for suricata?

Thanks

bmeeks

@simby:

Is i350 network card supported for inline mode?

Will this work for snort or. only for suricata?

Thanks

I don't know about support in specific cards.  I have not researched it.

For now it will only work in Suricata.

Bill

athurdent

Supported devices are listed here, I assume: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html

Raul Ramos

Yeh

"_netmap natively supports the following devices:

On FreeBSD: em(4), igb(4), ixgbe(4), lem(4), re(4).

On Linux e1000(4), e1000e(4), igb(4), ixgbe(4), mlx4(4), forcedeth(4),
    r8169(4).

NICs without native support can still be used in netmap mode through emu-
    lation. Performance is inferior to native netmap mode but still signifi-
    cantly higher than sockets, and approaching that of in-kernel solutions
    such as Linux's pktgen.

Emulation is also available for devices with native netmap support, which
    can be used for testing or performance comparison. The sysctl variable
    dev.netmap.admode globally controls how netmap mode is implemented._"

Source: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES

pfcode

Great!  It looks like I will need to switch to Suricata from SNORT prior to upgrading to 2.3, currently still using 2.2.6

Raul Ramos

Hi. Bug alert!

After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is  in the middle the (i) counter resets, i think. Attachment added.

Best regards,

Raul


bmeeks

@mais_um:

Hi. Bug alert!

After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is  in the middle the (i) counter resets, i think. Attachment added.

Best regards,

Raul

That is certainly not by design …  :(.  I will add it to my next set of fixes.  There is another issue with auto-managed rules not being tagged correctly on the RULES tab and a problem with downloading the IQRisks IP Reputation file (for those with a subscription to that service).  I'm working on these bugs, too.

Edit: found the problem.  It was a simple fix.  The string used to hold the HTML as it is assembled for display was using a concatenation operator in a part of the code where it should not have been.  The fix will be in the next update.

Bill

bmeeks

@mais_um:

Hi. Bug alert!

After put a rule on the suppression list is added a (i) to the rule. If the same rule are consecutive it add 2 x (i), if 3 consecutive 3 x (i) will be added and so on. If other rule is  in the middle the (i) counter resets, i think. Attachment added.

Best regards,

Raul

Look for an update to become available soon with the fix for this and some other issues.  Here is the pull request: https://github.com/pfsense/FreeBSD-ports/pull/85.

Bill

bmeeks

Latest Suricata bug fix is now available for download.  Here is what the pfSense-pkg-suricata 3.0_2 package update addresses.

Bug Fixes

• Rules auto-managed by SID MGMT tab files are not tagged correctly on the RULES tab.

• IQRisk IP Reputation files not downloading for users with subscription code.

• Icons indicating rule GID:SID added to Supress Lists get duplicated when IPs are the same on ALERTS tab.

• Snort VRT rules checkboxes not auto-disabled when IPS-Policy is selected on CATEGORIES tab.

• PCRE selection of SIDs not working correctly for auto-SID management.

Known Limitations:
At the moment, if you try select a Snort VRT IPS Policy and try to view all the rules selected by the policy on the RULES tab, you will crash the PHP process for the Suricata GUI and get a blank browser screen.  This happens because the large IPS Policy rule set for the "Balanced" or "Security" policies exhausts the maximum PHP memory pool allowed by current pfSense settings.  A solution for that is being looked into by the pfSense developers.  In the interim, do not attempt to view an IPS Policy rule set on the RULES tab.  Note that although doing so will crash the PHP process showing you the RULES tab page, it won't impact the firewall operation and will not crash the Suricata binary.  It just crashes the individual process that was attempting to display the rules.

Bill