OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: franco on March 08, 2019, 12:24:27 pm
-
Dear all,
Suricata 4.1.3 was released yesterday with the following changes:
https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/
Three of those issues have had impact on OPNsense, namely:
Bug #2811: netmap/afpacket IPS: stream.inline: auto broken (worked around in OPNsense 19.1.2)
Bug #2842: IPS mode crash under load (no workaround existed, regression since Suricata 4.1)
Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT) (Sensei authors provided a patch for us in OPNsense 19.1)
You can manually install the latest version using (amd64 ONLY!):
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/suricata-4.1.3.txz
And restart the service.
To go back to the last release version use:
# opnsense-revert suricata
Happy to hear feedback even if it simply continues to work ok.
Thank you,
Franco
-
Hi Franco
I've installed Suricata 4.1.3 to give it a try.
After restarting the service, I see this warning in the log:
suricata: [100175] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Regards,
Stefan
-
Hi Stefan,
Thanks, right, we'll have to keep an eye out for this when the testing for Suricata 5.0 begins.
Cheers,
Franco
-
Hi Franco,
It's seems to running stable on my box.
I'm testing it on OPNsense 19.1.3 and kernel 19.1-netmap. ;)
Best Regards,
Stefan
-
Hi Stefan,
Yay, sounds good. We did a stress-test internally and Suricata is holding up fine now. Last piece for my home network is testing 19.1-netmap like you're running.
So far, everything is looking shiny.
Cheers,
Franco
-
Alright, this was included in 19.1.4 and looks like it's working. Special thanks to fightingmasta for the help. :)
Cheers,
Franco
-
Not sure if this is the right place or not.... but I think I may still be seeing an issue. I couldn't find exact symptoms of the crash that this version should resolve.
Running an HA setup, I see the CPU spike to 100% of 1 core/thread - linear CPU increase, over 12-15 minutes - once maxed, this then causes the Opnsense nodes to failover to the secondary. em2 is the only interface running IDS.
kernel: carp: 30@em2: BACKUP -> MASTER (master timed out)
Seems to occur after around 8-10 hours, has happened a few times, load has been higher during those hours so doesn't seem to be peak load related as such, minimum 100+ Mbps throughput constantly on the device.
I have tried running in IPS mode, with only the Eicar rule loaded, no VLANs etc. Tuned settings for things like flow control etc. Will perform some more testing next week, I have disabled it for now.
EDIT: Found it, will compare against:
https://redmine.openinfosecfoundation.org/issues/2842
-
Out of curiosity, is it possible to easily downgrade to 4.0.x (as I believe this impacts 4.1.x, potentially, only) without causing headaches? Am I likely going to end up in a world of pain if I do, already running stock 19.1.4:
pkg add -r https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/latest/All/suricata-4.0.5.txz