Does this startup log look ok? Lots of errors



  • Hey guys,
    So I just setup a new pfSense box and installed Suricata.

    When looking at the startup logs I see this and wonder if I need to worry:
    https://pastebin.com/0cNqJYtw

    Does this look ok?



  • You are apparently using the Snort VRT rules or Snort Community GPLv2 rules with Suricata. Many of those rules contain keywords that only Snort understands. Suricata is ignoring those rules which it fails to recognize and not loading them. The error message is informational.

    Whether this is a problem or not for your environment depends on the vulnerabilities on your network versus the threats those rules defend against.

    The Emerging Threats rule set is specifically designed for Suricata while the Snort VRT rule set is not. However the paid version of Emerging Threats rules with more recent threat detection is very expensive compared to the personal subscription for the Snort VRT rules. If you really want to use the Snort VRT rules, then you should probably ditch Suricata and switch to Snort.



  • Ah cool that makes sense!
    Thanks



  • And one is not necessarily any better than the other (Suricata versus Snort) in terms of security. They are really equals in most very way. Snort has OpenAppID which Suricata lacks, but Suricata offers lots of EVE logging options which Snort lacks.

    And I did not make it clear in my earlier post about the Emerging Threats rules. There are two sets of rules within each category (the free ones and the paid ones). One set is optimized for Snort, and the other set is optimized for Suricata. Suricata on pfSense is internally configured to always download the Suricata-optimized Emerging Threats rules while Snort on pfSense will always download the Snort-optimized Emerging Threats rules.


Log in to reply