Hi all,
Suricata 8 has been out for a bit, but recently offered version 8.0.1 so it's time to do a public call for testing just to be sure it's safe to bring it into one of the next stable updates (ideally 25.7.6, but we will see).
The changes seem to be additive with the nicest change of libhtp now being reimplemented in native Rust.
The only incompatibility found was that "ac-bs" Aho-Corasick pattern matcher is no longer available. Already changed that for the development version if anyone was using it but it also only prints a warning and reverts to the standard "ac" variant at runtime. Just so you know that bit. ;)
Testing looks good and Netmap IPS mode is behaving nicely.
Now it's your turn...
# opnsense-revert -z suricata
The service will need a restart to activate the new version.
Looking forward to all feedback--negative and positive!
Thanks,
Franco
https://suricata.io/2025/07/08/suricata-8-0-0-released/
https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
https://youtu.be/pIakAc3biQA?si=16a1TqYqVCJ-gLlk
root@router:~ # opnsense-update -z suricata
Usage: man opnsense-update
gives me en error and doenst install on 25.7.5
Quote from: franco on October 09, 2025, 10:49:59 AM# opnsense-update -z suricata
The service will need a restart to activate the new version.
root@OPNsense:~ # opnsense-update -z suricata
Usage: man opnsense-update
Ooops, should have been opnsense-revert. Sorry about that. When you don't use AI to write your stuff...
Cheers,
Franco
opnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.
Quote from: franco on October 10, 2025, 08:08:49 AMOoops, should have been opnsense-revert. Sorry about that. When you don't use AI to write your stuff...
Cheers,
Franco
IPS mode gave me an immediate block on all traffic, testing IDS now, so far so good. I am using VLANs and have Promiscuous mode enabled aka netmap. Unknown why IPS blocked everything, will test over the next few days to see if i can narrow it down. Not the same issue going from suricata 6 to 7 with the exception-policy: ignore setting, as the config setting still exists.
I did see in the install notes that many settings need to be added to /etc/rc.conf and I dont see that file or in any rc.conf when searching the system.
Did not TRY yet adding the following in Tunables
You may want to try BPF in zerocopy mode to test performance improvements:
sysctl -w net.bpf.zerocopy_enable=1
Quote from: danderson on October 10, 2025, 02:07:43 PMopnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.
So far IDS still ok, but went over the logs while in IPS and things broke, here is what I saw.
Still had plenty of RAM avail on opnsense.
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758119] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758138] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758327] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758312] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758183] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758163] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758325] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758323] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758308] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758313] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758309] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0
Thanks so far... first things first you can always go back with
# opnsense-revert suricata
About Netmap it could be that RAM requirement incresed looking at the error, but the question is if you normally use IPS mode and if it works with current 7.0.12?
I think you can ignore the packages messages during install. The zero copy one is a very old note.
Cheers,
Franco
Yes, IPS always on in 7.0.12 and no changes in config, just applied the update package and restarted the service. Right now i have it running in IDS and so far so good, thats the only change.
Quote from: franco on October 10, 2025, 03:00:06 PMThanks so far... first things first you can always go back with
# opnsense-revert suricata
About Netmap it could be that RAM requirement incresed looking at the error, but the question is if you normally use IPS mode and if it works with current 7.0.12?
I think you can ignore the packages messages during install. The zero copy one is a very old note.
Cheers,
Franco
Ok, FWIW, I also used igc and it worked for my WAN letting packets pass through normally.
I'll try to chase netmap changes on their end to see if something got optimised that should not have.
Thanks,
Franco
I just applied it to 2 other FWs that are not using netmap as VLANs are on the core router/switch, using a difference nic (ice) and no errors or issues, lots of traffic and things showing up in the IPS logs like normal.
So appears to be netmap issue more and more.
Quote from: franco on October 10, 2025, 03:06:08 PMOk, FWIW, I also used igc and it worked for my WAN letting packets pass through normally.
I'll try to chase netmap changes on their end to see if something got optimised that should not have.
Thanks,
Franco
Increasing the buffer size for netmap appears to have resolved the issue I was having
dev.netmap.buf_size From 4096 to 8192
@danderson just to be sure what hardware are you using and how much traffic are you pushing on average through Suricata?
Cheers,
Franco
Hardware is https://protectli.com/product/v1410/
Its my home fw so on a gig pipe its prob 10m sustained over 24hrs and all my traffic flows through suricata
Quote from: franco on October 13, 2025, 11:17:15 AM@danderson just to be sure what hardware are you using and how much traffic are you pushing on average through Suricata?
Cheers,
Franco
Installed 8.0.1 - works in IDS (OPNsense 25.7.5-amd64 - we do not IPS)
Use the logging and have modded things to use 'suricata-update' instead of the Policy rule management OPNSense feature
All of which still works great! Seems there was minimal 'suricata.yaml' file modifications too, will follow up here after combing through the latest published Suricata config file example
It should be mentioned (and this might be more in plugin or core - looking for help/direction):
It has been difficult to keep a 'custom.yaml' file, which can allow us to customize the Suricata config even more
We significantly use this, and as we've disabled the OPNSense IDS update cron task our 'custom.yaml' file at /usr/local/etc/suricata/ does not get replaced any more. It would be neat to either now, or in the future see about having a way to have a heavily customized 'custom.yaml' for Suricata that stays around natively (currently if we modify the template it breaks on copy/import).
Extra - the suricata-update thing:
https://www.nova-labs.net/using-suricata-update-on-opnsense/
Checked the app-layer section of the latest suricata.yaml file against suricata.yaml, this is a strong inspection enablement
app-layer:
# error-policy: ignore
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
# max-msg-length: 1 MiB
# subscribe-topic-match-limit: 100
# unsubscribe-topic-match-limit: 100
# Maximum number of live MQTT transactions per flow
# max-tx: 4096
krb5:
enabled: yes
bittorrent-dht:
enabled: yes
snmp:
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
# Generate JA3/JA4 fingerprints from client hello. If not specified it
# will be disabled by default, but enabled if rules require it.
ja3-fingerprints: auto
ja4-fingerprints: auto
# What to do when the encrypted communications start:
# - track-only: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
# 'content' signatures. (default)
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
# - full: keep tracking and inspection as normal. Unmodified content
# keyword signatures are inspected as well.
#
# For best performance, select 'bypass'.
#
#encryption-handling: track-only
pgsql:
enabled: yes
# Stream reassembly size for PostgreSQL. By default, track it completely.
stream-depth: 0
# Maximum number of live PostgreSQL transactions per flow
max-tx: 1024
dcerpc:
enabled: yes
# Maximum number of live DCERPC transactions per flow
# max-tx: 1024
ftp:
enabled: yes
# memcap: 64 MiB
websocket:
enabled: yes
# Maximum used payload size, the rest is skipped
# Also applies as a maximum for uncompressed data
max-payload-size: 64 KiB
rdp:
#enabled: yes
ssh:
enabled: yes
# hassh: no
# What to do when the encrypted communications start:
# - track-only: keep tracking but stop inspection (default)
# - full: keep tracking and inspect as normal
# - bypass: stop processing this flow as much as possible.
# Offload flow bypass to kernel or hardware if possible.
# For the best performance, select 'bypass'.
#
# encryption-handling: track-only
doh2:
enabled: yes
http2:
enabled: yes
# Maximum number of live HTTP2 streams in a flow
#max-streams: 4096
# Maximum headers table size
#max-table-size: 65536
# Maximum reassembly size for header + continuation frames
#max-reassembly-size: 102400
smtp:
enabled: yes
raw-extraction: no
# Maximum number of live SMTP transactions per flow
# max-tx: 256
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supersedes all others because it turns the entire
# process on or off
decode-mime: yes
# Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
decode-base64: yes
decode-quoted-printable: yes
# Maximum bytes per header data value stored in the data structure
# (default is 2000)
header-value-depth: 2000
# Extract URLs and save in state data structure
extract-urls: yes
# Scheme of URLs to extract
# (default is [http])
#extract-urls-schemes: [http, https, ftp, mailto]
# Log the scheme of URLs that are extracted
# (default is no)
#log-url-scheme: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
# Set it to no to disable it.
# Default is auto: not enabled until a rule needs it
# body-md5: auto
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
pop3:
enabled: yes
detection-ports:
dp: 110
# Stream reassembly size for POP3. By default, track it completely.
stream-depth: 0
# Maximum number of live POP3 transactions per flow
# max-tx: 256
smb:
enabled: yes
detection-ports:
dp: 139, 445
# Maximum number of live SMB transactions per flow
# max-tx: 1024
# Stream reassembly size for SMB streams. By default track it completely.
#stream-depth: 0
nfs:
enabled: yes
# max-tx: 1024
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
# Byte Range Containers default settings
# byterange:
# memcap: 100 MiB
# timeout: 60
# memcap: Maximum memory capacity for HTTP
# Default is unlimited, values can be 64 MiB, e.g.
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
#
# For advanced options, see the user guide
# server-config: List of server configurations to use if address matches
# address: List of IP addresses or networks for this block
# personality: List of personalities used by this block
#
# Then, all the fields from default-config can be overloaded
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDS
# Can be specified in KiB, MiB, GiB. Just a number indicates
# it's in bytes.
request-body-limit: 100 KiB
response-body-limit: 100 KiB
# inspection limits
request-body-minimal-inspect-size: 32 KiB
request-body-inspect-window: 4 KiB
response-body-minimal-inspect-size: 40 KiB
response-body-inspect-window: 16 KiB
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Decompress SWF files. Disabled by default.
# Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
# set 0 for unlimited.
# decompress-depth:
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
enabled: no
type: both
compress-depth: 100 KiB
decompress-depth: 100 KiB
# Use a random value for inspection sizes around the specified value.
# This lowers the risk of some evasion techniques but could lead
# to detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If "randomize-inspection-sizes" is active, the value of various
# inspection size will be chosen from the [1 - range%, 1 + range%]
# range
# Default value of "randomize-inspection-range" is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
# Can enable LZMA decompression
#lzma-enabled: false
# Memory limit usage for LZMA decompression dictionary
# Data is decompressed until dictionary reaches this size
#lzma-memlimit: 1 MiB
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
#compression-bomb-limit: 1 MiB
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
# Maximum number of live transactions per flow
#max-tx: 512
# Maximum used number of HTTP1 headers in one request or response
#headers-limit: 1024
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
# Note: Modbus probe parser is minimalist due to the limited usage in the field.
# Only Modbus message length (greater than Modbus header length)
# and protocol ID (equal to 0) are checked in probing parser
# It is important to enable detection port and define Modbus port
# to avoid false positives
modbus:
# How many unanswered Modbus requests are considered a flood.
# If the limit is reached, the app-layer-event:modbus.flooded; will match.
#request-flood: 500
enabled: yes
detection-ports:
dp: 502
# According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
# is recommended to keep the TCP connection opened with a remote device
# and not to open and close it for each MODBUS/TCP transaction. In that
# case, it is important to set the depth of the stream reassembling as
# unlimited (stream.reassembly.depth: 0)
# Stream reassembly size for modbus. By default track it completely.
stream-depth: 0
# DNP3
dnp3:
enabled: yes
detection-ports:
dp: 20000
# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: yes
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: yes
quic:
enabled: yes
dhcp:
enabled: yes
sip:
enabled: yes
ldap:
tcp:
enabled: yes
detection-ports:
dp: 389, 3268
udp:
enabled: yes
detection-ports:
dp: 389, 3268
# Maximum number of live LDAP transactions per flow
# max-tx: 1024
mdns:
enabled: yes
A reference to what I am checking against:
https://github.com/OISF/suricata/blob/main/suricata.yaml.in
@jonny5 We are open to suggestions and further suricata.yaml tweaks. I agree that custom.yaml is not ideal due to how YAML works but for persistent changes feature additions into the GUI are the best approach forward.
As far as buffer sizes go this has historically been an elusive issue and local fixes can make this better, but it doesn't appear on the hardware we have tested and therefore found no direct relation to code changes in Suricata.
I'm going to close this CFT since we are going to ship Suricata 8.0.1 today in 25.7.6.
Thanks for testing,
Franco