Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suricata 4.1.6 #1677

dougburks opened this issue Dec 13, 2019 · 4 comments

Suricata 4.1.6 #1677

dougburks opened this issue Dec 13, 2019 · 4 comments


@dougburks dougburks self-assigned this Dec 13, 2019
@dougburks dougburks added this to To do in via automation Dec 13, 2019
@dougburks dougburks moved this from To do to In Testing in Dec 13, 2019

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 13, 2019

I've packaged Suricata 4.1.6 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 4.1.6-1ubuntu1securityonion2

Please test/verify as follows:

  • start with a 16.04 box with all stable updates applied

  • run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install all updates:
sudo soup -y
  • the Suricata package should back up your existing suricata.yaml,
    migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
    you need to run sudo rule-update

  • PLEASE NOTE! suricata.yaml has recently changed SIGNIFICANTLY. Please sanity-check all options in suricata.yaml.

  • if necessary, manually update the new suricata.yaml for your environment

  • update rules:

sudo rule-update
  • verify the new version number:
suricata -V
  • run through your normal testing in as many different combinations as possible:
    single worker vs multiple workers
    Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

  • check log files for any warnings/errors out of the ordinary

  • reboot and make sure everything still works properly

  • re-run Setup and make sure everything still works properly

  • anything else I missed?

Thanks in advance for your time and effort!


This comment has been minimized.

Copy link

@Ucnt Ucnt commented Dec 14, 2019

tl;dr upgrade was successful.

  • Started from a ISO install on ESXi with 2 x port mirror interfaces at a branch office.
  • Went through initial install steps and setup, adding PPA
  • sudo soup -y
    • Did get note to review yaml and run rule-update
    • Updated to 4.1.6.
    • Carried over HOME_NET variables
      ** During one test, I set "set-cpu-affinity" to yes prior to update. The update reverted that to "no". Not sure if that's as intended.
  • No dropped packets reported (~10 min run time) and no odd logs
  • Rebooted and everything came up, Kibana and squert showed logs/alerts
  • Re-ran setup and everything came back up with 4.1.6
  • Still no packets dropped.
  • Running af-packet by default, with no cpu affinity

Still need to do additional testing and let it bake in but so far so good!


This comment has been minimized.

Copy link

@weslambert weslambert commented Dec 16, 2019

No issues during my testing. @Ucnt we don't currently migrate settings for cpu affinity or eve.json (etc.), however, we may consider doing so in the future.



This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 16, 2019

@dougburks dougburks closed this Dec 16, 2019 automation moved this from In Testing to Done Dec 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.