From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IPFire meets Suricata - Call for tester Date: Fri, 22 Feb 2019 10:21:13 +0000 Message-ID: <4F9C9DD5-7D8D-4EEA-9788-DCBB8DC10AEB@ipfire.org> In-Reply-To: <005401d4ca30$57aa3340$06fe99c0$@net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7077569913689535561==" List-Id: --===============7077569913689535561== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 21 Feb 2019, at 21:56, Mentalic wrote: >=20 > Made an attempt at importing the suricata tarball into current release core= 127 with guardian installed but no luck. Tar command exits with "This does no= t look like a tar archive". Had used "tar -xvf" to extract... Could be doing = something wrong here? Good point actually. @Stevee: What is the migration path away from Guardian? This kind of needs to= be uninstalled or the CGI needs to be stripped to remove all IPS features fr= om it. -Michael >=20 > Regards > Wayne >=20 >=20 > -----Original Message----- > From: Development [mailto:development-bounces(a)lists.ipfire.org] On Behalf= Of Stefan Schantl > Sent: Wednesday, February 20, 2019 1:55 AM > To: development(a)lists.ipfire.org > Subject: Re: IPFire meets Suricata - Call for tester >=20 > Hello again and thanks for the feedback. >> Exposed my test setup directly to my cable modem and noticed a couple=20 >> of things. >>=20 >> -The Firewall log seems to only list items that match my firewall=20 >> rules. Gone was the typical several a minute "drop_input" entry noise,=20 >> there was zero drop_input's in 15min or so. Possible logging issue? >=20 > The IDS/IPS events are not logged to the firewall log. They only can be acc= essed in the "Logs"->"IPS Logs" section. >=20 >>=20 >> -Suricata placed entries into IPS log, but what is done with them? >> Don't see a block list like Guardian generated. >=20 > Thats exactly how suricata works and the main benefit why we choose to swit= ch to suricata. >=20 > The old snort/guardian solution worked like this: >=20 > Snort detected (based on it's ruleset) an event and logged it to it's logfi= le. Guardian read this event from the file, parsed it again and if the config= ured block count for the matching IP-address was reached, the host was blocke= d by an iptables rule (block list). >=20 > The new suricata-based solution works like this: >=20 > Suricata detects (also based on the ruleset) an event and directly drops th= e bad package. There is no additional software involved anymore . >=20 > So one of the benefits of the new approach is to reduce the amount of time = an attack has been recognized until it's blocked immediately. >=20 >>=20 >> -Are there any incompatibility issues with using the backup function=20 >> to restore to this version? I had made a backup from my core 127=20 >> system with the old intrusion detection/guardian not active just in=20 >> case. >=20 > There is a converter-script available, which will move the old snort/guardi= an and rules settings to be used by suricata. This script automatically will = be called if a backup gets restored, which contains such settings files. >=20 > Therefore I would ask you to test this feature by restoring such a backup o= n a fresh installed nightly machine and if possible to install the "update ta= rball" on a regular machine with configured snort and/or guardian. >=20 > In both ways, all your taken settings should be the same for suricata as be= fore for snort. >=20 > A big thanks in advance and best regards, >=20 > -Stefan=20 >=20 >>=20 >> Regards >> Wayne >>=20 >> -----Original Message----- >> From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 >> Behalf Of Mentalic >> Sent: Tuesday, February 19, 2019 4:12 PM >> To: 'Stefan Schantl'; development(a)lists.ipfire.org >> Subject: RE: IPFire meets Suricata - Call for tester >>=20 >> Stefan >>=20 >> Yep I had downloaded the nightly and suspected is was not current, and=20 >> so posted the build number. >>=20 >> With the 5d7d8749 loaded I have not seen any of the previous issues=20 >> nor any others thus far. >>=20 >> Regards >> Wayne >>=20 >> -----Original Message----- >> From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 >> Behalf Of Stefan Schantl >> Sent: Tuesday, February 19, 2019 5:34 AM >> To: development(a)lists.ipfire.org >> Subject: Re: IPFire meets Suricata - Call for tester >>=20 >> Hello Wayne, >>=20 >> it seems you accidentally downloaded and tested the wrong image. >>=20 >> The latest one is 5d7d8749 were you downloaded one is an older=20 >> release. >>=20 >> Sadly the nightly build service and therefore the images are one day=20 >> later than the upgrade tarballs.... >>=20 >> You simply can update to this release by using the RC3 tarball or=20 >> download the available "5d7d8749" ISO. >>=20 >> Best regards, >>=20 >> -Stefan >>> Loaded the new iso, reports build 77c07352. Still having connection=20 >>> issues with suricata as soon as its activated where existing=20 >>> connections would continue to work, no new connections were=20 >>> possible. >>> Reboot results in no connection timeouts. Disable suricata, reboot,=20 >>> connections work. >>>=20 >>> Any graphical data trend under Status tab reports errors and remains=20 >>> blank. Typically on new installs the trends at least show the chart=20 >>> even though data had not been collected. >>>=20 >>> Configured options: >>> Geoip >>> Proxy on green and blue >>> URL filter >>> suricata on red/blue Running a number of emerging threats rule sets. >>>=20 >>> Regards >>> Wayne >>>=20 >>>=20 >>>=20 >>> -----Original Message----- >>> From: Development [mailto:development-bounces(a)lists.ipfire.org] On=20 >>> Behalf Of Stefan Schantl >>> Sent: Monday, February 18, 2019 7:16 AM >>> To: development(a)lists.ipfire.org >>> Subject: Re: IPFire meets Suricata - Call for tester >>>=20 >>> Hello list, >>>=20 >>> I've uploaded the third release candidate, which hopefully would be=20 >>> the last one. >>>=20 >>> It fixes the issue that no traffic could be passed through the=20 >>> firewall when suricata was running on some machines and no graphs=20 >>> could be displayed anymore. Thanks to Wayne for reporting and=20 >>> Michael Tremer for testing and fixing. >>>=20 >>> The new tarball (i586 for 32bit-systems, and x86_64) can be found >>> here: >>>=20 >>> https://people.ipfire.org/~stevee/suricata/ >>>=20 >>> To start testing download the tarball and place it on your IPFire=20 >>> system. Extract the tarball and launch the install (install.sh)=20 >>> script. >>>=20 >>> If you already have installed a previous test version or image, with=20 >>> the same steps as noted above you can update the the new version. >>>=20 >>> As always, if you prefer a fresh installation, the latest image can=20 >>> be grabbed from here: >>>=20 >>> https://nightly.ipfire.org/next-suricata/latest/x86_64/ >>>=20 >>> Direct link for downloading the ISO image: >>>=20 >>> https://nightly.ipfire.org/next-suricata/latest/x86_64/ipfire-2.21.x >>> 86 >>> _64-full-core128.iso >>>=20 >>> Thanks for downloading and testing. There are no known bugs so far,=20 >>> as usual please file any bugs to our bugtracker ( >>> https://bugzilla.ipfire.org) and share your feedback on the list. >>>=20 >>> Best regards, >>>=20 >>> -Stefan >>>=20 >=20 --===============7077569913689535561==--