From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bC5fD6r18z30Gr for ; Wed, 4 Jun 2025 11:56:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bC5f93MQ2z2yHd for ; Wed, 4 Jun 2025 11:56:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4bC5f85Gj8z16G for ; Wed, 4 Jun 2025 11:56:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1749038208; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ovqr9BnIP8JsxYKExBLx6HlBvZ0nBcc/w55oLZD8/9M=; b=WxrZuFQtlv96DOhU2+0hgEGM0frmd08dncvwyvTG6o/YVuww5Do7a6Jq0yZsw1I/NgyOpB SZgxYGxA6vfTA0Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1749038208; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ovqr9BnIP8JsxYKExBLx6HlBvZ0nBcc/w55oLZD8/9M=; b=GbojQ50/ZMOlvlNJYXj39cHH9r3wW6wggpooiogBVLM4lN8V4AXWkgi3sYizasIwQu0XEt qhRSEi0qtYp+449J6MQc8zcoNUkCLQHujSX5b9Qoj+uKpLIDWBpe9G2rWeAey/pPa0EhkU 57BGBBqBMBjMIKhNorSAF89z7emPPjNTCqTUATL3zGewRnJHQRH7Lx1DDgUC6zXMd4+36H HEyAz9mkfEvm9DGFPeZgS8J8f4Ld+FhbRq1F3Bv2VG+wUFPPrE/VARVKBq46mayHsUWgGK Y08PFcg3XcK2JsCROKDZZva8qJCRLbUm0UsOJbSfkax3srBpQOkWTp7IP32b6g== Message-ID: <248818c8-c129-4642-84a7-b2bb6db68184@ipfire.org> Date: Wed, 4 Jun 2025 13:56:44 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: Feedback on evaluation of Suricata-8.0.0-beta1 From: Adolf Belka To: "IPFire: Development-List" References: <98524397-9ffa-4a72-91d3-0d13da6aa04f@ipfire.org> Content-Language: en-GB In-Reply-To: <98524397-9ffa-4a72-91d3-0d13da6aa04f@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi All, On 03/06/2025 21:00, Adolf Belka wrote: > Hi everyone, > > So I have good news and bad news. > > The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues. > > I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news. > > Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting. > These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that. > > > The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9. > It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now. > > libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed. > I will test this out. I built suricata-8.0.0-beta1 with libhtp removed from the build and it completed without any issues. I installed the IPFire created with that build and the IPS worked without any issues. So libhtp can be removed when suricata-8 is installed. > I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata. > We have a libhtp section in the suricata.yaml file. I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped and complained about the missing libhtp. I then added libhtp back in and reran the build and then did the find-dependencies and this time it flagged up suricata. So yesterday I must have made some error when doing the find-dependencies. So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as replaced by a rust equivalent. Regards, Adolf. > > Regards, > Adolf.