[CALL FOR TESTING] Suricata 4.1.3

Started by franco, March 08, 2019, 12:24:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2019, 12:24:27 PM
Dear all,

Suricata 4.1.3 was released yesterday with the following changes:

https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/

Three of those issues have had impact on OPNsense, namely:

Bug #2811: netmap/afpacket IPS: stream.inline: auto broken (worked around in OPNsense 19.1.2)

Bug #2842: IPS mode crash under load (no workaround existed, regression since Suricata 4.1)

Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT) (Sensei authors provided a patch for us in OPNsense 19.1)

You can manually install the latest version using (amd64 ONLY!):

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/suricata-4.1.3.txz

And restart the service.

To go back to the last release version use:

# opnsense-revert suricata

Happy to hear feedback even if it simply continues to work ok.


Thank you,
Franco
March 08, 2019, 12:41:39 PM #1
Hi Franco

I've installed Suricata 4.1.3 to give it a try.
After restarting the service, I see this warning in the log:
suricata: [100175] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.

Regards,
Stefan
March 08, 2019, 12:56:15 PM #2
Hi Stefan,

Thanks, right, we'll have to keep an eye out for this when the testing for Suricata 5.0 begins.


Cheers,
Franco
March 08, 2019, 07:34:58 PM #3
Hi Franco,

It's seems to running stable on my box.
I'm testing it on OPNsense 19.1.3 and kernel 19.1-netmap.  ;)

Best Regards,
Stefan
March 08, 2019, 08:15:14 PM #4
Hi Stefan,

Yay, sounds good. We did a stress-test internally and Suricata is holding up fine now. Last piece for my home network is testing 19.1-netmap like you're running.

So far, everything is looking shiny.


Cheers,
Franco
March 12, 2019, 02:38:09 PM #5
Alright, this was included in 19.1.4 and looks like it's working. Special thanks to fightingmasta for the help. :)


Cheers,
Franco
March 22, 2019, 11:45:56 AM #6 Last Edit: March 22, 2019, 11:52:12 AM by iMx
Not sure if this is the right place or not.... but I think I may still be seeing an issue.  I couldn't find exact symptoms of the crash that this version should resolve.

Running an HA setup, I see the CPU spike to 100% of 1 core/thread - linear CPU increase, over 12-15 minutes - once maxed, this then causes the Opnsense nodes to failover to the secondary.  em2 is the only interface running IDS.

Code Select
kernel: carp: 30@em2: BACKUP -> MASTER (master timed out)

Seems to occur after around 8-10 hours, has happened a few times, load has been higher during those hours so doesn't seem to be peak load related as such, minimum 100+ Mbps throughput constantly on the device.

I have tried running in IPS mode, with only the Eicar rule loaded, no VLANs etc.  Tuned settings for things like flow control etc.  Will perform some more testing next week, I have disabled it for now.

EDIT: Found it, will compare against:

https://redmine.openinfosecfoundation.org/issues/2842
March 22, 2019, 12:06:13 PM #7 Last Edit: March 22, 2019, 12:13:05 PM by iMx
Out of curiosity, is it possible to easily downgrade to 4.0.x (as I believe this impacts 4.1.x, potentially, only) without causing headaches? Am I likely going to end up in a world of pain if I do, already running stock 19.1.4:

Code Select
pkg add -r https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/latest/All/suricata-4.0.5.txz
Print
Go Up Pages1
User actions