Suricata 5.0.5

[dougburks]

https://suricata-ids.org/2019/10/15/release-notes-for-5-0-0/

[dougburks]

https://suricata-ids.org/2019/12/13/suricata-5-0-1-released/

[haricsree]

Just curious why Suricata 5.0.x is not yet in included? Suricata 5.0.2 is released in Feb. https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/

[dougburks]

Hi @haricsree ,

First, please note that there is no rush in moving to Suricata 5.0.x since Suricata 4.1.x is still fully supported through the end of 2020: https://suricata-ids.org/2020/03/25/suricata-4-1-eol-update-support-extended/

Second, please note that there is currently a stability issue with Suricata 5.0.x: https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&issue_position=1&next_issue_id=3341

[haricsree]

Thanks for the explanation. Did not realize that there is an outstanding issue with Suricata 5.0.x

[NRGLine4Sec]

Hi @dougburks It seems to be claused https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&issue_position=1&next_issue_id=3341#note-14

[dougburks]

We are moving to Suricata 5 in our new Hybrid Hunter platform: https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/418

Our existing 16.04 platform will likely remain on Suricata 4 at least for the near future.

[NRGLine4Sec]

Hi @dougburks Does this imply that Hybrid Hunter will soon become a production version ?

[dougburks]

Depends on your definition of "soon". Hybrid Hunter is currently at Beta 2 release. We're not promising any dates for final release at this point.

[dougburks]

Security Onion 2 has been released and includes Suricata 5: https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

For Security Onion 16.04, we need to move to Suricata 5 before Suricata 4.1 reaches EOL on 12/31/2020: https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/

[dougburks]

Suricata 5.0.5 has been released: https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/

https://www.openinfosecfoundation.org/download/suricata-5.0.5.tar.gz

[dougburks]

I've packaged Suricata 5.0.5 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 5.0.5-1ubuntu1securityonion2

Please test/verify as follows:

• start with a 16.04 box with all stable updates applied

• run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

• snapshot the VM if possible

• add the test PPA:

  sudo add-apt-repository -y ppa:securityonion/test

• install all updates:

  sudo soup -y

• the Suricata package should back up your existing suricata.yaml, migrate your HOME_NET and EXTERNAL_NET variables, and tell you that you need to run sudo rule-update

• PLEASE NOTE! suricata.yaml has changed drastically from Suricata 4 to Suricata 5. Please double-check all options in suricata.yaml.

• if necessary, manually update the new suricata.yaml for your environment

• update rules:

  sudo rule-update

• verify the new version number:

  suricata -V

• run through your normal testing in as many different combinations as possible: PF_RING vs AF_PACKET single worker vs multiple workers Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

• check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

• check log files for any warnings/errors out of the ordinary

• reboot and make sure everything still works properly

• re-run Setup and make sure everything still works properly

• anything else I missed?

Thanks in advance for your time and effort!

[cm-ops]

Testing guidelines were verified as follows: suricata.yaml backed up, HOME_NET and EXTERNAL_NET variables migrated, notification to run sudo rule-update, and to update suricata.yaml with customizations. Also, new version number seen on each test.

• sudo rule-update: no issues
• PF_RING vs AF_PACKET: no issues
• Single worker vs multiple workers: no issues
• sostat: no issues
• Log files: no issues
• Reboot: no issues
• Re-run setup: no issues

[dougburks]

Thanks @cm-ops !

[dougburks]

Published: https://blog.securityonion.net/2020/12/suricata-505-now-available-for-security.html