From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mentalic To: development@lists.ipfire.org Subject: RE: IPFire meets Suricata - Call for tester Date: Thu, 21 Feb 2019 15:56:47 -0600 Message-ID: <005401d4ca30$57aa3340$06fe99c0$@net> In-Reply-To: <2ca5f2a895a42095c6d50d8df5523be02499fdba.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7546988592565583552==" List-Id: --===============7546988592565583552== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Restored backup from core127 with guardian against a fresh suricata iso insta= ll.=20 Found: IPS service was running with no rules downloaded. Box's checked were enabled,= monitor, red and blue. It did import the oinkcode but no rules sets downloaded automatically. Since = I had two rule sources in guardian I wondered how that would be handled here = were one set is all that's possible. Picked a set and downloaded them, had to= manually pick the rules. Not a big deal to setup. Made an attempt at importing the suricata tarball into current release core12= 7 with guardian installed but no luck. Tar command exits with "This does not = look like a tar archive". Had used "tar -xvf" to extract... Could be doing so= mething wrong here? Regards Wayne -----Original Message----- From: Development [mailto:development-bounces(a)lists.ipfire.org] On Behalf O= f Stefan Schantl Sent: Wednesday, February 20, 2019 1:55 AM To: development(a)lists.ipfire.org Subject: Re: IPFire meets Suricata - Call for tester Hello again and thanks for the feedback. > Exposed my test setup directly to my cable modem and noticed a couple=20 > of things. >=20 > -The Firewall log seems to only list items that match my firewall=20 > rules. Gone was the typical several a minute "drop_input" entry noise,=20 > there was zero drop_input's in 15min or so. Possible logging issue? The IDS/IPS events are not logged to the firewall log. They only can be acces= sed in the "Logs"->"IPS Logs" section. >=20 > -Suricata placed entries into IPS log, but what is done with them? > Don't see a block list like Guardian generated. Thats exactly how suricata works and the main benefit why we choose to switch= to suricata. The old snort/guardian solution worked like this: Snort detected (based on it's ruleset) an event and logged it to it's logfile= . Guardian read this event from the file, parsed it again and if the configur= ed block count for the matching IP-address was reached, the host was blocked = by an iptables rule (block list). The new suricata-based solution works like this: Suricata detects (also based on the ruleset) an event and directly drops the = bad package. There is no additional software involved anymore . So one of the benefits of the new approach is to reduce the amount of time an= attack has been recognized until it's blocked immediately. >=20 > -Are there any incompatibility issues with using the backup function=20 > to restore to this version? I had made a backup from my core 127=20 > system with the old intrusion detection/guardian not active just in=20 > case. There is a converter-script available, which will move the old snort/guardian= and rules settings to be used by suricata. This script automatically will be= called if a backup gets restored, which contains such settings files. Therefore I would ask you to test this feature by restoring such a backup on = a fresh installed nightly machine and if possible to install the "update tarb= all" on a regular machine with configured snort and/or guardian. In both ways, all your taken settings should be the same for suricata as befo= re for snort. A big thanks in advance and best regards, -Stefan=20 >=20 > Regards > Wayne >=20 > -----Original Message----- > From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 > Behalf Of Mentalic > Sent: Tuesday, February 19, 2019 4:12 PM > To: 'Stefan Schantl'; development(a)lists.ipfire.org > Subject: RE: IPFire meets Suricata - Call for tester >=20 > Stefan >=20 > Yep I had downloaded the nightly and suspected is was not current, and=20 > so posted the build number. >=20 > With the 5d7d8749 loaded I have not seen any of the previous issues=20 > nor any others thus far. >=20 > Regards > Wayne >=20 > -----Original Message----- > From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 > Behalf Of Stefan Schantl > Sent: Tuesday, February 19, 2019 5:34 AM > To: development(a)lists.ipfire.org > Subject: Re: IPFire meets Suricata - Call for tester >=20 > Hello Wayne, >=20 > it seems you accidentally downloaded and tested the wrong image. >=20 > The latest one is 5d7d8749 were you downloaded one is an older=20 > release. >=20 > Sadly the nightly build service and therefore the images are one day=20 > later than the upgrade tarballs.... >=20 > You simply can update to this release by using the RC3 tarball or=20 > download the available "5d7d8749" ISO. >=20 > Best regards, >=20 > -Stefan > > Loaded the new iso, reports build 77c07352. Still having connection=20 > > issues with suricata as soon as its activated where existing=20 > > connections would continue to work, no new connections were=20 > > possible. > > Reboot results in no connection timeouts. Disable suricata, reboot,=20 > > connections work. > >=20 > > Any graphical data trend under Status tab reports errors and remains=20 > > blank. Typically on new installs the trends at least show the chart=20 > > even though data had not been collected. > >=20 > > Configured options: > > Geoip > > Proxy on green and blue > > URL filter > > suricata on red/blue Running a number of emerging threats rule sets. > >=20 > > Regards > > Wayne > >=20 > >=20 > >=20 > > -----Original Message----- > > From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 > > Behalf Of Stefan Schantl > > Sent: Monday, February 18, 2019 7:16 AM > > To: development(a)lists.ipfire.org > > Subject: Re: IPFire meets Suricata - Call for tester > >=20 > > Hello list, > >=20 > > I've uploaded the third release candidate, which hopefully would be=20 > > the last one. > >=20 > > It fixes the issue that no traffic could be passed through the=20 > > firewall when suricata was running on some machines and no graphs=20 > > could be displayed anymore. Thanks to Wayne for reporting and=20 > > Michael Tremer for testing and fixing. > >=20 > > The new tarball (i586 for 32bit-systems, and x86_64) can be found > > here: > >=20 > > https://people.ipfire.org/~stevee/suricata/ > >=20 > > To start testing download the tarball and place it on your IPFire=20 > > system. Extract the tarball and launch the install (install.sh)=20 > > script. > >=20 > > If you already have installed a previous test version or image, with=20 > > the same steps as noted above you can update the the new version. > >=20 > > As always, if you prefer a fresh installation, the latest image can=20 > > be grabbed from here: > >=20 > > https://nightly.ipfire.org/next-suricata/latest/x86_64/ > >=20 > > Direct link for downloading the ISO image: > >=20 > > https://nightly.ipfire.org/next-suricata/latest/x86_64/ipfire-2.21.x > > 86 > > _64-full-core128.iso > >=20 > > Thanks for downloading and testing. There are no known bugs so far,=20 > > as usual please file any bugs to our bugtracker ( > > https://bugzilla.ipfire.org) and share your feedback on the list. > >=20 > > Best regards, > >=20 > > -Stefan > >=20 --===============7546988592565583552==--