Suricata 7 instead of Suricata 6 and no af-packet support?

Started by jonny5, January 31, 2024, 06:07:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 31, 2024, 06:07:27 AM Last Edit: January 31, 2024, 06:09:09 AM by jonny5
It appears we should be working to tune the "netmap" back-end/feature instead of "af-packet" for Suricata 7. There are options enabling it for eth0 all the same even in the conf file for Suricata 7 in OPNSense 24.1.

It seems I remember that Suricata 6 was compiled with 'af-packet', but Suricata 7 was not - can anyone verify this?

Was also curious about how difficult it would be for someone to compile Suricata 7 themselves and add features to it (examples: nDPI 3.4+, PF_Ring 7.8+, Luijit, Redis, GeoIP, eBPF, Profiling) and then install that to the OPNSense?

Overall curious about the decision and if OPNSense is compiling their own Suricata, and the possible future of doing pulled-pork/oinkmaster, or its modern Suricata-Update and the ability to maintain per rule modifications (set $EXTERNAL instead of $ANY for specific rules/SIDs, and other mods/updates).

Note: been upgrading from around 18 or so, 24.1 seemed to upgrade without an issue, and all traffic appears to be going as expected. Great work guys!! Just looking to know my unknowns! <3
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
February 01, 2024, 12:09:16 AM #1
Updates! We are back to Suricata 6, but as I've come to find out, no AF-PACKET support in Suricata 6.

Code Select
root@opnsense:~ # suricata --build-info
This is Suricata version 6.0.15 RELEASE
Features: IPFW PCAP_SET_BUFF NETMAP HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
..
Suricata Configuration:
  AF_PACKET support:                       no

After a little bit of reading, it would seem af-packet isn't a thing in FreeBSD.

What/how does one work with enabling/optimizing rings/RAM based memory network rings for Suricata to inspect (not IPS, just IDS w/the ability to 'catch-up' and not drop as few as possible, inspect near all packets)?

Please, any and all that can help me make sense of this - I've been a Linux user for a while, and FreeBSD is close enough for me to forget that it really is NOT Linux, and some scripting I did on FreeBSD let me know that double recently lol.
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
February 01, 2024, 02:49:07 PM #2
Overall curious about the decision and if OPNSense is compiling their own Suricata, and the possible future of doing pulled-pork/oinkmaster, or its modern Suricata-Update and the ability to maintain per rule modifications (set $EXTERNAL instead of $ANY for specific rules/SIDs, and other mods/updates).
February 01, 2024, 03:25:19 PM #3
> Overall curious about the decision and if OPNSense is compiling their own Suricata

I'm rather curious what the actual question is here. Someone has to provide binary packages so it needs to be built? oO

I don't really understand either questions raised here.


Cheers,
Franco
February 10, 2024, 08:46:21 PM #4 Last Edit: February 11, 2024, 03:39:51 AM by jonny5
Quote from: franco on February 01, 2024, 03:25:19 PM
> Overall curious about the decision and if OPNSense is compiling their own Suricata

I'm rather curious what the actual question is here. Someone has to provide binary packages so it needs to be built? oO
...

After having made my initial post there, I realized I have more to learn/explore before I can ask such a question really. While I have compiled my own Suricata on Debian, I have not on FreeBSD.

I'm after customizing the downloaded rules in greater context, it will still be SID by SID, but, ideally using Suicata-Update or something like the old "pulledpork" or "oinkmaster" that Snort had we would be able to have a conf file that SID by SID has modifications to apply after getting the new rule file (post update, it re-set the changes if the source detail to fix is still there).

How can I post rule update have specific rules modified (sed/awk - ish but through a pattern tool like Suricata-Update (gotta explore this - still learning) or something like it) "$ANY" to "$EXTERNAL" or "$INTERNAL"?

So, in addition to being curious about PF_RING or AF-PACKET, because memory rings tend to run fastest, and wanting to tune impact to an aging process IDS, wanted to go after that tuning of the IDS and the rules being enabled. Use to manage Snort IDS hosts for an MSP of sorts in the past, day job is a little different now, but my hobby and passion remain.

In a effort to gain awareness of my own network, current state of rules, I went after enabling almost all rules recently and wrote up a guide to getting a great many rules but turning off some of the most noisy/troublesome.
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/

I plan on posting about my future Suritcata-Update explorations in about another 3 to 4 weeks or so (I hope lol!)
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
Print
Go Up Pages1
User actions