dougburks
commented
3 years ago Closed dougburks closed 3 years ago
dougburks
commented
3 years ago dougburks
commented
3 years ago I've packaged Suricata 4.1.9 and the following package is now available at ppa:securityonion/test:
securityonion-suricata - 4.1.9-1ubuntu1securityonion1Please test/verify as follows:
start with a 16.04 box with all stable updates applied
run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/testinstall all updates:
sudo soup -ythe Suricata package should back up your existing suricata.yaml,
migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
you need to run sudo rule-update
PLEASE NOTE! suricata.yaml has changed in this release. Please verify that both use-mmap and tpacket-v3 are set to yes under the af-packet section. This should increase performance.
if necessary, manually update the new suricata.yaml for your environment
update rules:
sudo rule-updateverify the new version number:
suricata -Vrun through your normal testing in as many different combinations as possible: PF_RING vs AF_PACKET single worker vs multiple workers Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.
check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)
check log files for any warnings/errors out of the ordinary
reboot and make sure everything still works properly
re-run Setup and make sure everything still works properly
anything else I missed?
Thanks in advance for your time and effort!
cm-ops
commented
3 years ago Testing guidelines were verified as follows: suricata.yaml backed up (single and multiple interfaces), HOME_NET and EXTERNAL_NET variables migrated (single and multiple interfaces), notification to run sudo rule-update was seen on each interface, new version number seen on each test.
sudo rule-update: no issues PF_RING vs AF_PACKET: no issues Single worker vs multiple workers: no issues sostat: no issues Log files: no issues Reboot: no issues Re-run setup: no issues
dougburks
commented
3 years ago Thanks @cm-ops !
dougburks
commented
3 years ago
https://redmine.openinfosecfoundation.org/versions/148
Also enable the following in
suricata.yamlby default (see https://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#af-packet):