pfSense-pkg-suricata upgrade destroys default suricata rules
Issue: Upgrade of pfSense-pkg-suricata removes default suricata events rules installed by the base suricata package (ex: suricata-4.1.4_1). Issue occurs as of version 4.1.4_3.
Expected behavior: default suricata rules are not removed during pfSense package upgrade.
Workaround: from CLI, force reinstallation of suricata base package using "pkg install -f suricata". From Suricata updates menu, force rule update.
#2 Updated by Bill Meeks about 1 year ago
This fix for this issue has been posted in this pull request: https://github.com/pfsense/FreeBSD-ports/pull/651.
This issue is RESOLVED in package version Suricata-4.1.4_4. Note that even when installing the updated package, you can still get your events rules files clobbered by the older PHP file from the earlier package version. The package uses an "uninstall" hook with the pfSense pkg utility to cleanup after itself. That cleanup code is called both on package deletion and package reinstallation from the PACKAGE MANAGER code in pfSense. The cleanup code cannot tell which mode the user chose (Delete or Reinstall), so it was defaulting to cleaning up everything (as in Delete). The new code in the 4.1.4_4 package is more selective about what it cleans up, but when you upgrade from 4.1.4_3 or any earlier version, that old cleanup code in that version will still be executed BEFORE the new 4.1.4_4 code is installed. So you still lose the files just on this upgrade. With future upgrades, the issue should not recur.
To restore the missing events rules files, first delete the Suricata package from Package Manager > Installed Packages and then install it again from the Available Packages tab.
Please mark this issue as RESOLVED.
#4 Updated by Bill Meeks about 1 year ago
John Silva wrote:
Confirmed that the rules are clobbered as expected when upgrading to 4.1.4_4. Thanks for the quick fix, Bill!
Yeah, sorry about that. But there was no way to avoid it deleting them one more time since the old uninstall script gets called before the new one is pulled down. However, it should not happen anymore. If it recurs, post back either here or on the Netgate forum in the IDS/IPS area.
The new version of the code selectively deletes the user-downloaded rules and MD5 checksum files from the system so that a new copy of rules such as Emerging Threats and Snort Subscriber are always downloaded. However, it no longer removes all of the rules as it formerly did. The *-events.rules files are provided by the binary package and not the GUI package, so the new GUI uninstall code leaves those rules file alone now.