OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: spetrillo on June 01, 2019, 03:19:22 am
-
Hello all,
Is there an ability to upload a new package, in this case the Suricata 5 beta, so it can be installed via GUI. Does this need to be done via CLI instead?
Thanks,
Steve
-
Hi Steve,
Working on this for 19.1.9 although we won't have suricata-devel package installable with a single click at the moment as the core package will need to be rebuilt from the git repository with the suricata package replaced.
Cheers,
Franco
-
No worries...and thanks for all the efforts. I am learning alot about OPNsense!
-
Ping me after 19.1.9 is out to post instructions here on how to use Suricata 5 package. I have to give it a good testing beforehand to make sure nothing unpleasant happens.
Cheers,
Franco
-
as i will be soon happy owner of a apu4, i will join the testing then.
-
Hey @franco is it time to test the Suricata 5 install?
-
When on 19.1.9:
pkg install suricata-devel
-
this will try to uninstall pkg opnsense-19.1.9
-
Switch to development and do an upgrade to install it. Then on the console:
# opnsense-code core
# cd /usr/core
# make upgrade CORE_SURICATA=-devel
Cheers,
Franco
-
thx! on s5 now. just done some testing with eicar, this works quite well.
i had another firewall with ipfire/suricata in parallel - what is astaunishing, this one drops attacks like crazy with the same rule (compromised i think are good for testing) - whilst i nearly see no attack on opnsense.
-
After a few days, i cannot see any difference between 5 beta and 4. Should there be a difference?
All what i've seen so far, CPU is no longer on high load for long time, if downloading e.g. a 2 GB DVD-ISO.
-
After changing some rules today i have the following message:
suricata: [100705] <Warning> -- [ERRCODE: SC_WARN_OPTION_OBSOLETE(233)] - netmap interface igb2+ uses obsolete '+' notation. Using '^' instead
in this case, its the wan-interface. But this comes for all interfaces.
And: get nearly no entries in Alert-log, but having a web- and mailserver with both imap and smtp-rules...). This feels a little bit strange. On Suricata 4 too.
-
still only entries in alarm-tab, if i test a eicar. Nothing else. I am not sure, if it is working correct. Somebody else perhaps with more reliable results?
btw. i am in IPS-Mode. Will switch now to IDP.
-
Still no change - am i the only tester for the moment? When is 5 planned in opnsense for golive?
btw. i deleted all the rules in /usr/local/etc/suricata/rules and ./opnsense-rules, as i got massy of errors of flowbits set. Re-downloaded all the rules i checked, but the errors persist.
-
S5 isn't stable yet, so there are no plans to migrate.
-
so i ask, if it makes sense to test s5 here?
-
Sure it makes sense, maybe it makes sense to switch logging to syslog and check eve.log about S5 findings.
Regarding the interface naming maybe it's worth to check release notes.
Most of the dev's are highly loaded with other tasks, that's why they'll start to test when S5 is stable (my personal view). Nonetheless, very appreciated when you start testing first! 8)
-
OK, can we be sure, that the rulesets e.g. of ET Open are compatible between the versions?
-
I haven't tested them yet, but you should get some warnings in suricata log if they don't fit
-
Ok, it seems the logging is broken, but right now I have no idea if it's new logging features of 19.7 or Suricata itself.
-
i am quite sure, it's suricata itself, as i stepped down to 4.1. and still have problems with logging. I will now "upgrade" again to suricata 5 and continue testing.
-
btw. wouldn't it perhaps make sense, to plan suricata 5 for 20.1?
-
It it's out and it works fine it's in 20.1, maybe even 19.7 later on. It depends on the release date. Probably some time this fall.
Cheers,
Franco
-
It looks like Suricata 5 is now a stable release. Is there a timetable for including it in OPNsense? Version 20 perhaps? Is there also a way to get other options added to the plugins, like Elastic Beats?
-
There is already a pkg for beats :)
-
Yes it is 6.7.1 but needs to be installed manually. Will it ever get added as a plug-in or will it always be manual?
-
I have a kind of enterprise plugin with a pure free field to configure, but it will never be merged.
-
That is certainly too bad. I am trying to figure out how to keep Beats up to date on OPNsense. A bit of a pain.