Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does this startup log look ok? Lots of errors

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 202 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      N0_Klu3
      last edited by

      Hey guys,
      So I just setup a new pfSense box and installed Suricata.

      When looking at the startup logs I see this and wonder if I need to worry:
      https://pastebin.com/0cNqJYtw

      Does this look ok?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You are apparently using the Snort VRT rules or Snort Community GPLv2 rules with Suricata. Many of those rules contain keywords that only Snort understands. Suricata is ignoring those rules which it fails to recognize and not loading them. The error message is informational.

        Whether this is a problem or not for your environment depends on the vulnerabilities on your network versus the threats those rules defend against.

        The Emerging Threats rule set is specifically designed for Suricata while the Snort VRT rule set is not. However the paid version of Emerging Threats rules with more recent threat detection is very expensive compared to the personal subscription for the Snort VRT rules. If you really want to use the Snort VRT rules, then you should probably ditch Suricata and switch to Snort.

        1 Reply Last reply Reply Quote 0
        • N
          N0_Klu3
          last edited by

          Ah cool that makes sense!
          Thanks

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            And one is not necessarily any better than the other (Suricata versus Snort) in terms of security. They are really equals in most very way. Snort has OpenAppID which Suricata lacks, but Suricata offers lots of EVE logging options which Snort lacks.

            And I did not make it clear in my earlier post about the Emerging Threats rules. There are two sets of rules within each category (the free ones and the paid ones). One set is optimized for Snort, and the other set is optimized for Suricata. Suricata on pfSense is internally configured to always download the Suricata-optimized Emerging Threats rules while Snort on pfSense will always download the Snort-optimized Emerging Threats rules.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.