Suricata - 2.1.9.1_3

Raul Ramos

Hi

Lets start.

I can't Clear Alert logs or add a SID to Suppress list. Tested in Chrome (incognito) and safari.

Steve_B

Thanks. A ticket has been opened.

bmeeks

I will be in a position to help troubleshoot Suricata in the near future.  A big thank-you to Steve B and Jared for converting that package while I worked on Snort.  In their defense, Suricata has a complicated GUI and converting to Bootstrap was not an easy chore.  There are probably some rough spots in the package now, but we can fix them up.  I have learned quite a bit of late converting Snort, and as we know, the two packages share lots of GUI code.

I should finish Snort in the next couple of days.  I have one more file to convert, then it's time to package it in the new pkg-ng format and submit the PR.

Bill

brianc69

Is there an advantage to one over the other? From my limited experience and understanding of them they both appear to do the same thing.

bmeeks

@brianc69:

Is there an advantage to one over the other? From my limited experience and understanding of them they both appear to do the same thing.

No, not really unless you have an environment with 10 Gigabit/sec speeds (or sustained, maxed-out 1 Gig circuits).  On heavily loaded links, Suricata has a slight advantage today due to its multithreaded engine.  Snort is still single-threaded, but will be multithread in the 3.0 version.

Suricata can log more types of information about packets, flows, etc., but Snort has the potentially quite useful Open Application ID feature.  So it is really more of a personal preference thing as to which is better.

Bill

brianc69

Can you share some tips for operations? Should all rules be enabled or just certain ones? I removed it yesterday as I found it was stopping my ability to connect to my plex server while remote. I'm not sure which rule stopped it. The activity log is VERY full. Seems to log something every minute or so. Even with just a half dozen things active I can't hit my plex server. None of those rules are what I consider anything related.

maverick_slo

Just a quick question…
Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
I'm familiar with snort but not with suricata :)

Raul Ramos

@brianc69:

Can you share some tips for operations? Should all rules be enabled or just certain ones? I removed it yesterday as I found it was stopping my ability to connect to my plex server while remote. I'm not sure which rule stopped it. The activity log is VERY full. Seems to log something every minute or so. Even with just a half dozen things active I can't hit my plex server. None of those rules are what I consider anything related.

Something like this? https://forum.pfsense.org/index.php?topic=78062.0

bmeeks

@maverick_slo:

Just a quick question…
Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
I'm familiar with snort but not with suricata :)

The rules for Snort are linked to the version of the binary.  You can't run older rules with a newer binary (or vice-versa).  It will print a version error and refuse to start.  The rules are named for the Snort binary version they are designed for.  The Snort package on pfSense uses a shell script trick to have the loaded binary print out its version information into a string.  This version number is then used to construct the download URL for the rules.  Hence you always get the proper rules for the loaded/installed Snort binary version.

Suricata has a completely different binary versioning scheme that in no way matches up with Snort.  Also, the two binaries get updates at different times.  So there is no way for Suricata to intrinsically "know" what the most current Snort rule set should be.  So instead, in the Suricata package, I provided a field where the user could specify the Snort VRT rules version they want to use.  That's really the only option.

Bill

brianc69

Thank you for that?

maverick_slo

@bmeeks:

@maverick_slo:

Just a quick question…
Snort always downloads latest rules, how do we achieve this with Suricata? You have to specify file name of ruleset what to use there?
I'm familiar with snort but not with suricata :)

The rules for Snort are linked to the version of the binary.  You can't run older rules with a newer binary (or vice-versa).  It will print a version error and refuse to start.  The rules are named for the Snort binary version they are designed for.  The Snort package on pfSense uses a shell script trick to have the loaded binary print out its version information into a string.  This version number is then used to construct the download URL for the rules.  Hence you always get the proper rules for the loaded/installed Snort binary version.

Suricata has a completely different binary versioning scheme that in no way matches up with Snort.  Also, the two binaries get updates at different times.  So there is no way for Suricata to intrinsically "know" what the most current Snort rule set should be.  So instead, in the Suricata package, I provided a field where the user could specify the Snort VRT rules version they want to use.  That's really the only option.

Bill

Thanks Bill.