Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suricata 4.1.5 #1646

Closed
dougburks opened this issue Sep 24, 2019 · 3 comments

Comments

@dougburks dougburks self-assigned this Sep 24, 2019
@dougburks dougburks added this to To do in 16.04.6.3 via automation Sep 24, 2019
@dougburks dougburks moved this from To do to In progress in 16.04.6.3 Sep 24, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented Sep 24, 2019

I've packaged Suricata 4.1.5 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 4.1.5-1ubuntu1securityonion4

Please test/verify as follows:

  • start with a 16.04 box with all stable updates applied

  • run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install all updates:
sudo soup -y
  • the Suricata package should back up your existing suricata.yaml,
    migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
    you need to run "sudo rule-update"

  • PLEASE NOTE! suricata.yaml has recently changed SIGNIFICANTLY. Please sanity-check all options in suricata.yaml.

  • if necessary, manually update the new suricata.yaml for your environment

  • update rules:

sudo rule-update
  • verify the new version number:
suricata -V
  • run through your normal testing in as many different combinations as possible:
    PF_RING vs AF_PACKET
    single worker vs multiple workers
    Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

  • check log files for any warnings/errors out of the ordinary

  • reboot and make sure everything still works properly

  • re-run Setup and make sure everything still works properly

  • anything else I missed?

Thanks in advance for your time and effort!

@dougburks dougburks moved this from In progress to In Testing in 16.04.6.3 Sep 24, 2019
@weslambert

This comment has been minimized.

Copy link
Collaborator

commented Sep 25, 2019

Everything looks good from my testing 👍

@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented Sep 25, 2019

@dougburks dougburks closed this Sep 25, 2019
16.04.6.3 automation moved this from In Testing to Done Sep 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.3
  
Done
2 participants
You can’t perform that action at this time.