Closed dougburks closed 3 years ago
Just curious why Suricata 5.0.x is not yet in included? Suricata 5.0.2 is released in Feb. https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/
Hi @haricsree ,
First, please note that there is no rush in moving to Suricata 5.0.x since Suricata 4.1.x is still fully supported through the end of 2020: https://suricata-ids.org/2020/03/25/suricata-4-1-eol-update-support-extended/
Second, please note that there is currently a stability issue with Suricata 5.0.x: https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&issue_position=1&next_issue_id=3341
Thanks for the explanation. Did not realize that there is an outstanding issue with Suricata 5.0.x
Hi @dougburks It seems to be claused https://redmine.openinfosecfoundation.org/issues/3342?issue_count=191&issue_position=1&next_issue_id=3341#note-14
We are moving to Suricata 5 in our new Hybrid Hunter platform: https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/418
Our existing 16.04 platform will likely remain on Suricata 4 at least for the near future.
Hi @dougburks Does this imply that Hybrid Hunter will soon become a production version ?
Depends on your definition of "soon". Hybrid Hunter is currently at Beta 2 release. We're not promising any dates for final release at this point.
Security Onion 2 has been released and includes Suricata 5: https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html
For Security Onion 16.04, we need to move to Suricata 5 before Suricata 4.1 reaches EOL on 12/31/2020: https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/
I've packaged Suricata 5.0.5 and the following package is now available at ppa:securityonion/test
:
securityonion-suricata - 5.0.5-1ubuntu1securityonion2
Please test/verify as follows:
start with a 16.04 box with all stable updates applied
run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
install all updates:
sudo soup -y
the Suricata package should back up your existing suricata.yaml,
migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
you need to run sudo rule-update
PLEASE NOTE! suricata.yaml
has changed drastically from Suricata 4 to Suricata 5. Please double-check all options in suricata.yaml
.
if necessary, manually update the new suricata.yaml
for your environment
update rules:
sudo rule-update
verify the new version number:
suricata -V
run through your normal testing in as many different combinations as possible: PF_RING vs AF_PACKET single worker vs multiple workers Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.
check sostat
output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)
check log files for any warnings/errors out of the ordinary
reboot and make sure everything still works properly
re-run Setup and make sure everything still works properly
anything else I missed?
Thanks in advance for your time and effort!
Testing guidelines were verified as follows: suricata.yaml backed up, HOME_NET and EXTERNAL_NET variables migrated, notification to run sudo rule-update
, and to update suricata.yaml with customizations. Also, new version number seen on each test.
Thanks @cm-ops !
https://suricata-ids.org/2019/10/15/release-notes-for-5-0-0/