[CALL FOR TESTING] Suricata version 8

Started by franco, October 09, 2025, 10:49:59 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 09, 2025, 10:49:59 AM Last Edit: October 10, 2025, 08:08:09 AM by franco
Hi all,

Suricata 8 has been out for a bit, but recently offered version 8.0.1 so it's time to do a public call for testing just to be sure it's safe to bring it into one of the next stable updates (ideally 25.7.6, but we will see).

The changes seem to be additive with the nicest change of libhtp now being reimplemented in native Rust.

The only incompatibility found was that "ac-bs" Aho-Corasick pattern matcher is no longer available. Already changed that for the development version if anyone was using it but it also only prints a warning and reverts to the standard "ac" variant at runtime. Just so you know that bit.  ;)

Testing looks good and Netmap IPS mode is behaving nicely.

Now it's your turn...

# opnsense-revert -z suricata

The service will need a restart to activate the new version.

Looking forward to all feedback--negative and positive!


Thanks,
Franco

https://suricata.io/2025/07/08/suricata-8-0-0-released/
https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
October 09, 2025, 06:41:42 PM #1
October 09, 2025, 09:37:54 PM #2 Last Edit: October 09, 2025, 09:39:36 PM by danderson
root@router:~ # opnsense-update -z suricata
Usage: man opnsense-update

gives me en error and doenst install on 25.7.5
October 09, 2025, 10:08:13 PM #3
Quote from: franco on October 09, 2025, 10:49:59 AM# opnsense-update -z suricata

The service will need a restart to activate the new version.
Code Select
root@OPNsense:~ # opnsense-update -z suricata
Usage: man opnsense-update
October 10, 2025, 08:08:49 AM #4
Ooops, should have been opnsense-revert. Sorry about that. When you don't use AI to write your stuff...


Cheers,
Franco
October 10, 2025, 02:07:43 PM #5
opnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.


Quote from: franco on October 10, 2025, 08:08:49 AMOoops, should have been opnsense-revert. Sorry about that. When you don't use AI to write your stuff...


Cheers,
Franco
October 10, 2025, 02:49:14 PM #6
IPS mode gave me an immediate block on all traffic, testing IDS now, so far so good. I am using VLANs and have Promiscuous mode enabled aka netmap.  Unknown why IPS blocked everything, will test over the next few days to see if i can narrow it down. Not the same issue going from suricata 6 to 7 with the exception-policy: ignore setting, as the config setting still exists.

I did see in the install notes that many settings need to be added to /etc/rc.conf and I dont see that file or in any rc.conf when searching the system.

Did not TRY yet adding the following in Tunables
You may want to try BPF in zerocopy mode to test performance improvements:

        sysctl -w net.bpf.zerocopy_enable=1


Quote from: danderson on October 10, 2025, 02:07:43 PMopnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.

October 10, 2025, 02:56:08 PM #7
So far IDS still ok, but went over the logs while in IPS and things broke, here is what I saw.

Still had plenty of RAM avail on opnsense.

Code Select
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758119] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758138] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758327] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758312] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758183] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758163] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758325] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758323] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758308] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758313] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758309] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0
October 10, 2025, 03:00:06 PM #8
Thanks so far... first things first you can always go back with

# opnsense-revert suricata

About Netmap it could be that RAM requirement incresed looking at the error, but the question is if you normally use IPS mode and if it works with current 7.0.12?

I think you can ignore the packages messages during install. The zero copy one is a very old note.


Cheers,
Franco
October 10, 2025, 03:03:16 PM #9
Yes, IPS always on in 7.0.12 and no changes in config, just applied the update package and restarted the service.  Right now i have it running in IDS and so far so good, thats the only change.

Quote from: franco on October 10, 2025, 03:00:06 PMThanks so far... first things first you can always go back with

# opnsense-revert suricata

About Netmap it could be that RAM requirement incresed looking at the error, but the question is if you normally use IPS mode and if it works with current 7.0.12?

I think you can ignore the packages messages during install. The zero copy one is a very old note.


Cheers,
Franco

October 10, 2025, 03:06:08 PM #10
Ok, FWIW, I also used igc and it worked for my WAN letting packets pass through normally.

I'll try to chase netmap changes on their end to see if something got optimised that should not have.


Thanks,
Franco
October 10, 2025, 03:20:12 PM #11
I just applied it to 2 other FWs that are not using netmap as VLANs are on the core router/switch, using a difference nic (ice) and no errors or issues, lots of traffic and things showing up in the IPS logs like normal.

So appears to be netmap issue more and more.

Quote from: franco on October 10, 2025, 03:06:08 PMOk, FWIW, I also used igc and it worked for my WAN letting packets pass through normally.

I'll try to chase netmap changes on their end to see if something got optimised that should not have.


Thanks,
Franco
October 10, 2025, 04:55:16 PM #12
Increasing the buffer size for netmap appears to have resolved the issue I was having

dev.netmap.buf_size From 4096 to 8192
October 13, 2025, 11:17:15 AM #13
@danderson just to be sure what hardware are you using and how much traffic are you pushing on average through Suricata?


Cheers,
Franco
October 13, 2025, 04:06:56 PM #14 Last Edit: October 14, 2025, 02:24:05 PM by danderson
Hardware is https://protectli.com/product/v1410/

Its my home fw so on a gig pipe its prob 10m sustained over 24hrs and all my traffic flows through suricata

Quote from: franco on October 13, 2025, 11:17:15 AM@danderson just to be sure what hardware are you using and how much traffic are you pushing on average through Suricata?


Cheers,
Franco
Print
Go Up Pages1 2
User actions