Suricata 5 Beta - Can We Upload to OPNSense

[spetrillo]

Hello all,

Is there an ability to upload a new package, in this case the Suricata 5 beta, so it can be installed via GUI. Does this need to be done via CLI instead?

Thanks,
Steve

[franco]

Hi Steve,

Working on this for 19.1.9 although we won't have suricata-devel package installable with a single click at the moment as the core package will need to be rebuilt from the git repository with the suricata package replaced.


Cheers,
Franco

[spetrillo]

No worries...and thanks for all the efforts. I am learning alot about OPNsense!

[franco]

Ping me after 19.1.9 is out to post instructions here on how to use Suricata 5 package. I have to give it a good testing beforehand to make sure nothing unpleasant happens.


Cheers,
Franco

[ruggerio]

as i will be soon happy owner of a apu4, i will join the testing then.

[spetrillo]

Hey @franco is it time to test the Suricata 5 install?

[mimugmail]

When on 19.1.9:

pkg install suricata-devel

[ruggerio]

this will try to uninstall pkg opnsense-19.1.9

[franco]

Switch to development and do an upgrade to install it. Then on the console:

# opnsense-code core
# cd /usr/core
# make upgrade CORE_SURICATA=-devel


Cheers,
Franco

[ruggerio]

thx! on s5 now. just done some testing with eicar, this works quite well.

i had another firewall with ipfire/suricata in parallel - what is astaunishing, this one drops attacks like crazy with the same rule (compromised i think are good for testing)  - whilst i nearly see no attack on opnsense.

[ruggerio]

After a few days, i cannot see any difference between 5 beta and 4. Should there be a difference?

All what i've seen so far, CPU is no longer on high load for long time, if downloading e.g. a 2 GB DVD-ISO.

[ruggerio]

After changing some rules today i have the following message:

suricata: [100705] <Warning> -- [ERRCODE: SC_WARN_OPTION_OBSOLETE(233)] - netmap interface igb2+ uses obsolete '+' notation. Using '^' instead

in this case, its the wan-interface. But this comes for all interfaces.

And: get nearly no entries in Alert-log, but having a web- and mailserver with both imap and smtp-rules...). This feels a little bit strange. On Suricata 4 too.

[ruggerio]

still only entries in alarm-tab,  if i test a eicar. Nothing else. I am not sure, if it is working correct. Somebody else perhaps with more reliable results?

btw. i am in IPS-Mode. Will switch now to IDP.

[ruggerio]

Still no change - am i the only tester for the moment? When is 5 planned in opnsense for golive?

btw. i deleted all the rules in /usr/local/etc/suricata/rules and ./opnsense-rules, as i got massy of errors of flowbits set. Re-downloaded all the rules i checked, but the errors persist.

[mimugmail]

S5 isn't stable yet, so there are no plans to migrate.