Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suricata 4.1.7 #1720

Closed
dougburks opened this issue Feb 13, 2020 · 3 comments
Closed

Suricata 4.1.7 #1720

dougburks opened this issue Feb 13, 2020 · 3 comments
Assignees
Projects

Comments

@dougburks dougburks self-assigned this Feb 13, 2020
@dougburks dougburks added this to To do in 16.04.6.5 via automation Feb 13, 2020
@dougburks dougburks moved this from To do to In progress in 16.04.6.5 Mar 13, 2020
@dougburks dougburks moved this from In progress to In Testing in 16.04.6.5 Mar 13, 2020
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Mar 13, 2020

I've packaged Suricata 4.1.7 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 4.1.7-1ubuntu1securityonion1

Please test/verify as follows:

  • start with a 16.04 box with all stable updates applied

  • run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install all updates:
sudo soup -y
  • the Suricata package should back up your existing suricata.yaml,
    migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
    you need to run sudo rule-update

  • PLEASE NOTE! suricata.yaml has recently changed SIGNIFICANTLY. Please sanity-check all options in suricata.yaml.

  • if necessary, manually update the new suricata.yaml for your environment

  • update rules:

sudo rule-update
  • verify the new version number:
suricata -V
  • run through your normal testing in as many different combinations as possible:
    PF_RING vs AF_PACKET
    single worker vs multiple workers
    Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

  • check log files for any warnings/errors out of the ordinary

  • reboot and make sure everything still works properly

  • re-run Setup and make sure everything still works properly

  • anything else I missed?

Thanks in advance for your time and effort!

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Mar 17, 2020

No issues found during my testing: 👍 .

@dougburks dougburks moved this from In Testing to Tested in 16.04.6.5 Mar 17, 2020
@dougburks

This comment has been minimized.

@dougburks dougburks closed this Mar 17, 2020
16.04.6.5 automation moved this from Tested to Done Mar 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.5
  
Done
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.