Feedback on evaluation of Suricata-8.0.0-beta1

Feedback on evaluation of Suricata-8.0.0-beta1

[Adolf Belka]

Hi everyone,

So I have good news and bad news.

The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.

I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.

Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.


The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.

libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
I will test this out.
I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
We have a libhtp section in the suricata.yaml file.

Regards,
Adolf.

Re: Feedback on evaluation of Suricata-8.0.0-beta1

[Adolf Belka]

Hi All,

On 03/06/2025 21:00, Adolf Belka wrote:
> Hi everyone,
> 
> So I have good news and bad news.
> 
> The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.
> 
> I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.
> 
> Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
> These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.
> 
> 
> The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
> It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.
> 
> libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
> I will test this out.

I built suricata-8.0.0-beta1 with libhtp removed from the build and it completed without any issues. I installed the IPFire created with that build and the IPS worked without any issues. So libhtp can be removed when suricata-8 is installed.

> I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
> We have a libhtp section in the suricata.yaml file.

I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped and complained about the missing libhtp.

I then added libhtp back in and reran the build and then did the find-dependencies and this time it flagged up suricata. So yesterday I must have made some error when doing the find-dependencies.

So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as replaced by a rust equivalent.

Regards,

Adolf.

> 
> Regards,
> Adolf.

Re: Feedback on evaluation of Suricata-8.0.0-beta1

[Michael Tremer]

Hello Adolf,

Cool, this is valuable stuff.

If you have the changes, feel free to push them into a branch in your Git repository so that whenever there is a final release available, we have the changes ready and just need to update.

Best,
-Michael

> On 4 Jun 2025, at 12:56, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi All,
> 
> On 03/06/2025 21:00, Adolf Belka wrote:
>> Hi everyone,
>> So I have good news and bad news.
>> The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.
>> I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.
>> Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
>> These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.
>> The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
>> It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.
>> libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
>> I will test this out.
> 
> I built suricata-8.0.0-beta1 with libhtp removed from the build and it completed without any issues. I installed the IPFire created with that build and the IPS worked without any issues. So libhtp can be removed when suricata-8 is installed.
> 
>> I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
>> We have a libhtp section in the suricata.yaml file.
> 
> I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped and complained about the missing libhtp.
> 
> I then added libhtp back in and reran the build and then did the find-dependencies and this time it flagged up suricata. So yesterday I must have made some error when doing the find-dependencies.
> 
> So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as replaced by a rust equivalent.
> 
> Regards,
> 
> Adolf.
> 
>> Regards,
>> Adolf.
> 
> 

Re: Feedback on evaluation of Suricata-8.0.0-beta1

[Adolf Belka]

Hi everyone,

The suricata-8.0.0-rc1 version has been released.

I have built it and tested it and it worked the same as the suricata-8.0.0-beta1 version.

Tested it out in an IPFire install using the testing approach from the suricata documentation

https://docs.suricata.io/en/suricata-8.0.0-rc1/quickstart.html#alerting

and it worked the same as for 7.0.10 and 8.0.0-beta1

Both the beta1 and rc1 commits have been pushed into my ipfire repo.

https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=summary

Regards,

Adolf.

On 04/06/2025 17:57, Michael Tremer wrote:
> Hello Adolf,
> 
> Cool, this is valuable stuff.
> 
> If you have the changes, feel free to push them into a branch in your Git repository so that whenever there is a final release available, we have the changes ready and just need to update.
> 
> Best,
> -Michael
> 
>> On 4 Jun 2025, at 12:56, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi All,
>>
>> On 03/06/2025 21:00, Adolf Belka wrote:
>>> Hi everyone,
>>> So I have good news and bad news.
>>> The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.
>>> I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.
>>> Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
>>> These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.
>>> The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
>>> It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.
>>> libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
>>> I will test this out.
>>
>> I built suricata-8.0.0-beta1 with libhtp removed from the build and it completed without any issues. I installed the IPFire created with that build and the IPS worked without any issues. So libhtp can be removed when suricata-8 is installed.
>>
>>> I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
>>> We have a libhtp section in the suricata.yaml file.
>>
>> I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped and complained about the missing libhtp.
>>
>> I then added libhtp back in and reran the build and then did the find-dependencies and this time it flagged up suricata. So yesterday I must have made some error when doing the find-dependencies.
>>
>> So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as replaced by a rust equivalent.
>>
>> Regards,
>>
>> Adolf.
>>
>>> Regards,
>>> Adolf.
>>
>>
> 

Re: Feedback on evaluation of Suricata-8.0.0-beta1

[Michael Tremer]

Nice!

According to their roadmap, the beta version arrived 6 days late, which is well within timing.

I suppose we will see a final version in about a month time then which we should then conduct some further testing on. As things are looking like right now, we should be able to release this all very soon, too.

Best,
-Michael

> On 15 Jun 2025, at 19:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi everyone,
> 
> The suricata-8.0.0-rc1 version has been released.
> 
> I have built it and tested it and it worked the same as the suricata-8.0.0-beta1 version.
> 
> Tested it out in an IPFire install using the testing approach from the suricata documentation
> 
> https://docs.suricata.io/en/suricata-8.0.0-rc1/quickstart.html#alerting
> 
> and it worked the same as for 7.0.10 and 8.0.0-beta1
> 
> Both the beta1 and rc1 commits have been pushed into my ipfire repo.
> 
> https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=summary
> 
> Regards,
> 
> Adolf.
> 
> On 04/06/2025 17:57, Michael Tremer wrote:
>> Hello Adolf,
>> Cool, this is valuable stuff.
>> If you have the changes, feel free to push them into a branch in your Git repository so that whenever there is a final release available, we have the changes ready and just need to update.
>> Best,
>> -Michael
>>> On 4 Jun 2025, at 12:56, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> Hi All,
>>> 
>>> On 03/06/2025 21:00, Adolf Belka wrote:
>>>> Hi everyone,
>>>> So I have good news and bad news.
>>>> The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.
>>>> I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.
>>>> Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
>>>> These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.
>>>> The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
>>>> It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.
>>>> libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
>>>> I will test this out.
>>> 
>>> I built suricata-8.0.0-beta1 with libhtp removed from the build and it completed without any issues. I installed the IPFire created with that build and the IPS worked without any issues. So libhtp can be removed when suricata-8 is installed.
>>> 
>>>> I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
>>>> We have a libhtp section in the suricata.yaml file.
>>> 
>>> I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped and complained about the missing libhtp.
>>> 
>>> I then added libhtp back in and reran the build and then did the find-dependencies and this time it flagged up suricata. So yesterday I must have made some error when doing the find-dependencies.
>>> 
>>> So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as replaced by a rust equivalent.
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>>> Regards,
>>>> Adolf.
>>> 
>>> 
>