[CALL FOR TESTING] Suricata 4.0.0

[fabian]

Hi all,

Suricata 4.0 is out and I asked Franco to build it for 17.7. It will not be included in the stable version but it can be installed via the shell by running the following command:

Code Select Expand

pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz

In a short test it still works without changing the GUI. Note: If you are having Suricata running, you will have to to restart it after installation. You can do that in the GUI.

[phoenix]

Hi

I've just tried that on my 17.7R2 and got the following:

Code Select Expand

root@OPNsense:~ # pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz' have been found in the repositoriesThe file does appear in the list if I browse to that address, have I missed something?

[franco]

Almost...

# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz

Note this package is for amd64, and the current release version can be restored with:

# opnsense-revert suricata


Cheers,
Franco

[phoenix]

Hi Franco

Thanks for that, it worked and is up and running. :) Anything specific in this version that we should be aware of.

[franco]

Hi Bill,

I haven't gone through the list of changes in detail. The port update was very easy, the syntax gave no issues in the yaml, I'd say it's a straight-forward update with small bits of numerous improvements in all areas:

https://github.com/inliniac/suricata/blob/b8428378ac6fb2365337ae765e19dfc0f4548e4a/ChangeLog#L1-L95


Cheers,
Franco

[franco]

I'm hijacking this thread for a general-purpose call for testing. The port was just finished[1]. It seems to work just fine.

To install:

# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz

To revert:

# opnsense-revert suricata

Don't forget to restart Suricata for the new version to take effect.

Will a few more people on 17.7 amd64 ack/nak this version bump?


Cheers,
Franco

--
[1] https://github.com/opnsense/ports/commit/67e8ed627e

[phoenix]

Hi Franco

There's a message displayed after the install:

Code Select Expand

You may want to try BPF in zerocopy mode to test performance improvements:

        sysctl -w net.bpf.zerocopy_enable=1

Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.confIs it suggested we apply that or just leave it as-is?

[franco]

BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.

[phoenix]

BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.

Thanks for that information. I'll try enabling it and see what happens but my server is lightly loaded anyway so I guess I won't see much difference, if any.

[Noctur]

Running for a day now.. Seems to be working similarly to 3.x. Smooth transition.

[Julien]

I have a And hardware,
any specific thing to test ?
I can install it on a production with 1 gbps connection

[franco]

Nothing special, just generally looking for positive feedback to upgrade. So far it looks seamless as far as 3.2.3 -> 4.0.0 goes.


Thanks,
Franco

[mw01]

Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0.  Went smoothly, no issues.  apu2 AMD GX-412TC SOC (4 cores)

[franco]

I'll get an ok from the core team just to be sure... I think it looks good for inclusion in 17.7.1.

Thank you all <3

[xmichielx]

Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0.  Went smoothly, no issues.  apu2 AMD GX-412TC SOC (4 cores)

Did you test with bandwidth tests? Find a difference in performance when testing through your APU2? I experienced much better bandwidth performance with 4.* then with the 3.* series of Suricata.
Please let us know if you also experience less of a cap on your bandwidth with Suricata 4.*