Hi All,
On 03/06/2025 21:00, Adolf Belka wrote:
Hi everyone,
So I have good news and bad news.
The good news is that, apart from minor adjustment of the patch to disable
sid-2210059, suricata-8.0.0-beta1 built without any issues.
I then installed the iso I had built with it and the IPS started up and worked
as expected, so also good news.
Suricata-8 has some new capabilities such as landlocked is enabled by default
now, Suricata can be used via sockets and encrypted traffic bypass has been
decoupled from stream.bypass setting.
These may or may not require or benefit from modifications in how Suricata is
used in IPFire. I am not knowledgeable enough currently to judge that.
The bad news is that the syslog output is deprecated in Suricata-8 and will be
removed in Suricata-9.
It will still work in Suricata-8 but we will need to figure out how to change
how we log some things before we move to Suricata-9 but at least we have some
time, so better to find this out now.
libhtp is no longer being used by Suricata. They have replaced it with a rust
version. So libhtp should be able to be removed.
I will test this out.
I built suricata-8.0.0-beta1 with libhtp removed from the build and it
completed without any issues. I installed the IPFire created with that build
and the IPS worked without any issues. So libhtp can be removed when suricata-8
is installed.
I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both
with Suricata 8 and the existing suricata 7 version the command showed no
dependencies on libhtp. I would have expected it to be shown as a dependency
for suricata.
We have a libhtp section in the suricata.yaml file.
I tested out doing the suricata-7.0.10 build with libhtp removed and it stopped
and complained about the missing libhtp.
I then added libhtp back in and reran the build and then did the
find-dependencies and this time it flagged up suricata. So yesterday I must
have made some error when doing the find-dependencies.
So everything is clear. Suricata-7 requires libhtp but suricata-8 will not as
replaced by a rust equivalent.
Regards,
Adolf.
Regards,
Adolf.
