OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: JohnDoe17 on January 21, 2019, 10:35:05 pm

Title: 18.7.10 and Suricata
Post by: JohnDoe17 on January 21, 2019, 10:35:05 pm

Hello.

Are there known issues with Suricata and OPNsense 18.7.10_3?  I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more.  Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any!  Seems hard to believe.

I have OPNsense configured to use it on a number of internal interfaces, but not WAN.  And I have chosen Hyperscan as the matching engine.  (I did try the default engine too, but that didn't seem to make a difference.)

I'm using http://testmyids.com to try to stimulate an alert.  This has worked in the past, but nothing happens after the upgrade.

Any ideas?

P.S.  I really love OPNsense.  I've been using it for a couple of years, and I recommend it to others.  Thanks for the great work!

Title: Re: 18.7.10 and Suricata
Post by: franco on January 22, 2019, 08:02:23 am

Hi,

Suricata 4.1.2 could have issues. We're not sure at this point.

Can you try to revert Suricata, i.e.

# opnsense-revert -r 18.7.9 suricata

And restart the service manually.


Cheers,
Franco

Title: Re: 18.7.10 and Suricata
Post by: MakesSense on January 22, 2019, 12:28:38 pm

For me it was the same, almost all alerts disappeared when I upgraded to Suricata 4.1.2. I found that the OISF/suricata rules disappeared when I upgraded. That rules set makes a lot of noice especially if you have the STREAM rules enabled, but many of them I find very useful.

Some rules didn't load properly with 4.1.2 when I downloaded them manually, so I added my own STREAM rules based on the rules in that rules set.

The OISF/suricata rules can be found here:
https://github.com/OISF/suricata/tree/master/rules

Title: Re: 18.7.10 and Suricata
Post by: JohnDoe17 on January 23, 2019, 05:49:28 pm

Well, after reverting, I seem to be getting alerts again.  And the rules lists are downloading again.

Thanks, Franco.

I assume if this gets sorted out in the future, when I upgrade to 19.1.x, the reverted version will upgrade at that time too?

Title: Re: 18.7.10 and Suricata
Post by: myksto on January 25, 2019, 09:08:27 am

I too noted the same issue.
When I restart suricata service I saw these errors in logs:

Jan 25 08:56:13   suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "</html>" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 148
Jan 25 08:56:13   suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "<html lang="en">" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 2
Jan 25 08:56:13   suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "<!doctype html>" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 1
Jan 25 08:56:13   suricata: [100116] <Notice> --
This is Suricata version 4.1.2 RELEASE

No alerts are stored.
After the revert to versione 4.0.6 alerts are shown again even though the above errors appears the same (maybe it's another kind of problem that has nothing to do with new version of Suricata).
There is some problem with new version of Suricata.

Best regards,
Michele.