Suricata 5 Beta - Can We Upload to OPNSense

Started by spetrillo, June 01, 2019, 03:19:22 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 01, 2019, 03:19:22 AM
Hello all,

Is there an ability to upload a new package, in this case the Suricata 5 beta, so it can be installed via GUI. Does this need to be done via CLI instead?

Thanks,
Steve
June 03, 2019, 05:06:37 PM #1
Hi Steve,

Working on this for 19.1.9 although we won't have suricata-devel package installable with a single click at the moment as the core package will need to be rebuilt from the git repository with the suricata package replaced.


Cheers,
Franco
June 03, 2019, 05:23:22 PM #2
No worries...and thanks for all the efforts. I am learning alot about OPNsense!
June 03, 2019, 05:37:04 PM #3
Ping me after 19.1.9 is out to post instructions here on how to use Suricata 5 package. I have to give it a good testing beforehand to make sure nothing unpleasant happens.


Cheers,
Franco
June 04, 2019, 07:59:51 AM #4
as i will be soon happy owner of a apu4, i will join the testing then.
June 12, 2019, 04:20:31 AM #5
Hey @franco is it time to test the Suricata 5 install?
June 12, 2019, 06:45:16 AM #6
When on 19.1.9:

pkg install suricata-devel
June 12, 2019, 07:56:48 AM #7
this will try to uninstall pkg opnsense-19.1.9
June 12, 2019, 01:15:30 PM #8
Switch to development and do an upgrade to install it. Then on the console:

# opnsense-code core
# cd /usr/core
# make upgrade CORE_SURICATA=-devel


Cheers,
Franco
June 12, 2019, 08:19:59 PM #9
thx! on s5 now. just done some testing with eicar, this works quite well.

i had another firewall with ipfire/suricata in parallel - what is astaunishing, this one drops attacks like crazy with the same rule (compromised i think are good for testing)  - whilst i nearly see no attack on opnsense.
June 17, 2019, 07:28:50 AM #10
After a few days, i cannot see any difference between 5 beta and 4. Should there be a difference?

All what i've seen so far, CPU is no longer on high load for long time, if downloading e.g. a 2 GB DVD-ISO.
June 18, 2019, 03:48:29 PM #11
After changing some rules today i have the following message:

suricata: [100705] <Warning> -- [ERRCODE: SC_WARN_OPTION_OBSOLETE(233)] - netmap interface igb2+ uses obsolete '+' notation. Using '^' instead

in this case, its the wan-interface. But this comes for all interfaces.

And: get nearly no entries in Alert-log, but having a web- and mailserver with both imap and smtp-rules...). This feels a little bit strange. On Suricata 4 too.



June 21, 2019, 07:19:39 AM #12 Last Edit: June 21, 2019, 08:00:10 AM by ruggerio
still only entries in alarm-tab,  if i test a eicar. Nothing else. I am not sure, if it is working correct. Somebody else perhaps with more reliable results?

btw. i am in IPS-Mode. Will switch now to IDP.
June 26, 2019, 07:52:01 AM #13
Still no change - am i the only tester for the moment? When is 5 planned in opnsense for golive?

btw. i deleted all the rules in /usr/local/etc/suricata/rules and ./opnsense-rules, as i got massy of errors of flowbits set. Re-downloaded all the rules i checked, but the errors persist.

June 26, 2019, 11:24:33 AM #14
S5 isn't stable yet, so there are no plans to migrate.
Print
Go Up Pages1 2
User actions