Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Suricata 5.0.6 #1822

Closed
dougburks opened this issue Feb 22, 2021 · 5 comments
Closed

Suricata 5.0.6 #1822

dougburks opened this issue Feb 22, 2021 · 5 comments
Assignees
@dougburks
Projects
16.04.7.3

Comments

@dougburks
Copy link
Contributor

No description provided.

@dougburks dougburks self-assigned this Feb 22, 2021
@dougburks dougburks added this to To do in 16.04.7.3 via automation Feb 22, 2021
@dougburks
Copy link
Contributor Author

https://forum.suricata.io/t/suricata-6-0-2-and-5-0-6-released/1170

@dougburks dougburks moved this from To do to In progress in 16.04.7.3 Mar 2, 2021
@dougburks
Copy link
Contributor Author

I've packaged Suricata 5.0.6 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 5.0.6-1ubuntu1securityonion1

Please test/verify as follows:

  • start with a 16.04 box with all stable updates applied

  • run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install all updates:
sudo soup -y

  • the Suricata package should back up your existing suricata.yaml,
    migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
    you need to run sudo rule-update

  • PLEASE NOTE! suricata.yaml has changed drastically from Suricata 4 to Suricata 5. Please double-check all options in suricata.yaml.

  • if necessary, manually update the new suricata.yaml for your environment

  • update rules:

sudo rule-update
  • verify the new version number:
suricata -V

  • run through your normal testing in as many different combinations as possible:
    PF_RING vs AF_PACKET
    single worker vs multiple workers
    Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

  • check log files for any warnings/errors out of the ordinary

  • reboot and make sure everything still works properly

  • re-run Setup and make sure everything still works properly

  • anything else I missed?

Thanks in advance for your time and effort!

@cm-ops
Copy link

cm-ops commented Mar 4, 2021

Testing guidelines were followed and the following verified: suricata.yaml backed up, HOME_NET and EXTERNAL_NET variables migrated, notification to run sudo rule-update was seen, and new version number verified.

  • sudo rule-update: no issues
  • PF_RING vs AF_PACKET: no issues
  • Single worker vs multiple workers: no issues
  • sostat: no issues
  • Log files: no issues
  • Reboot: no issues
  • Re-run setup: no issues

@dougburks
Copy link
Contributor Author

Thanks @cm-ops !

@dougburks
Copy link
Contributor Author

Published:
https://blog.securityonion.net/2021/03/suricata-506-now-available-for-security.html

16.04.7.3 automation moved this from In progress to Done Mar 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dougburks dougburks

Labels
None yet
Projects
No open projects
16.04.7.3
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougburks @cm-ops