Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - 2.1.9.1_3

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    11 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Raul RamosR
      Raul Ramos
      last edited by

      Hi

      Lets start.

      I can't Clear Alert logs or add a SID to Suppress list. Tested in Chrome (incognito) and safari.

      pfSense:
      ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
      Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
      NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

      1 Reply Last reply Reply Quote 0
      • S
        Steve_B Netgate
        last edited by

        Thanks. A ticket has been opened.

        Als ik kan

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          I will be in a position to help troubleshoot Suricata in the near future.  A big thank-you to Steve B and Jared for converting that package while I worked on Snort.  In their defense, Suricata has a complicated GUI and converting to Bootstrap was not an easy chore.  There are probably some rough spots in the package now, but we can fix them up.  I have learned quite a bit of late converting Snort, and as we know, the two packages share lots of GUI code.

          I should finish Snort in the next couple of days.  I have one more file to convert, then it's time to package it in the new pkg-ng format and submit the PR.

          Bill

          1 Reply Last reply Reply Quote 0
          • B
            brianc69
            last edited by

            Is there an advantage to one over the other? From my limited experience and understanding of them they both appear to do the same thing.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @brianc69:

              Is there an advantage to one over the other? From my limited experience and understanding of them they both appear to do the same thing.

              No, not really unless you have an environment with 10 Gigabit/sec speeds (or sustained, maxed-out 1 Gig circuits).  On heavily loaded links, Suricata has a slight advantage today due to its multithreaded engine.  Snort is still single-threaded, but will be multithread in the 3.0 version.

              Suricata can log more types of information about packets, flows, etc., but Snort has the potentially quite useful Open Application ID feature.  So it is really more of a personal preference thing as to which is better.

              Bill

              1 Reply Last reply Reply Quote 0
              • B
                brianc69
                last edited by

                Can you share some tips for operations? Should all rules be enabled or just certain ones? I removed it yesterday as I found it was stopping my ability to connect to my plex server while remote. I'm not sure which rule stopped it. The activity log is VERY full. Seems to log something every minute or so. Even with just a half dozen things active I can't hit my plex server. None of those rules are what I consider anything related.

                1 Reply Last reply Reply Quote 0
                • M
                  maverick_slo
                  last edited by

                  Just a quick question…
                  Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
                  I'm familiar with snort but not with suricata :)

                  1 Reply Last reply Reply Quote 0
                  • Raul RamosR
                    Raul Ramos
                    last edited by

                    @brianc69:

                    Can you share some tips for operations? Should all rules be enabled or just certain ones? I removed it yesterday as I found it was stopping my ability to connect to my plex server while remote. I'm not sure which rule stopped it. The activity log is VERY full. Seems to log something every minute or so. Even with just a half dozen things active I can't hit my plex server. None of those rules are what I consider anything related.

                    Something like this? https://forum.pfsense.org/index.php?topic=78062.0

                    pfSense:
                    ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                    Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                    NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @maverick_slo:

                      Just a quick question…
                      Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
                      I'm familiar with snort but not with suricata :)

                      The rules for Snort are linked to the version of the binary.  You can't run older rules with a newer binary (or vice-versa).  It will print a version error and refuse to start.  The rules are named for the Snort binary version they are designed for.  The Snort package on pfSense uses a shell script trick to have the loaded binary print out its version information into a string.  This version number is then used to construct the download URL for the rules.  Hence you always get the proper rules for the loaded/installed Snort binary version.

                      Suricata has a completely different binary versioning scheme that in no way matches up with Snort.  Also, the two binaries get updates at different times.  So there is no way for Suricata to intrinsically "know" what the most current Snort rule set should be.  So instead, in the Suricata package, I provided a field where the user could specify the Snort VRT rules version they want to use.  That's really the only option.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • B
                        brianc69
                        last edited by

                        Thank you for that?

                        1 Reply Last reply Reply Quote 0
                        • M
                          maverick_slo
                          last edited by

                          @bmeeks:

                          @maverick_slo:

                          Just a quick question…
                          Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
                          I'm familiar with snort but not with suricata :)

                          The rules for Snort are linked to the version of the binary.  You can't run older rules with a newer binary (or vice-versa).  It will print a version error and refuse to start.  The rules are named for the Snort binary version they are designed for.  The Snort package on pfSense uses a shell script trick to have the loaded binary print out its version information into a string.  This version number is then used to construct the download URL for the rules.  Hence you always get the proper rules for the loaded/installed Snort binary version.

                          Suricata has a completely different binary versioning scheme that in no way matches up with Snort.  Also, the two binaries get updates at different times.  So there is no way for Suricata to intrinsically "know" what the most current Snort rule set should be.  So instead, in the Suricata package, I provided a field where the user could specify the Snort VRT rules version they want to use.  That's really the only option.

                          Bill

                          Thanks Bill.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.