Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Error Codes

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    5
    275
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MagikMark
      last edited by

      Hi! Bmeeks!

      I'm getting a lot of "[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]" . What does it mean? Does it affect the effectivity of Suricata?

      Are you also the developer of Snort Package?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @MagikMark
        last edited by

        @MagikMark said in Suricata Error Codes:

        'm getting a lot of "[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]" . What does it mean? Does it affect the effectivity of Suricata?

        This is most likely from a Snort VRT rule. Snort is not Suricata. The two systems recognize some different syntax in rules. While Snort rules are for the most part compatible with Suricata, there are several that are not. If you enable every single Snort rule on Suricata, somewhere around 700 or so (at my last count) will generate these errors due to incompatible rule syntax. Any Snort rule triggering an error will be discarded and not loaded into Suricata's memory space. So, you can safely ignore the message and just recognize that not all Snort rules work in Suricata.

        The error in suricata.log should give you the specific piece of rule syntax it does not like along with the line number in the suricata.rules file generated for the interface where the offending rule can be found.

        @MagikMark said in Suricata Error Codes:

        Are you also the developer of Snort Package?

        I am the pfSense Snort package maintainer. I am not the original developer (creator), but I have been maintaining it for many, many years now. I am responsible for adding many of the current features into the package.

        I am both the developer and maintainer of the Suricata package on pfSense.

        1 Reply Last reply Reply Quote 0
        • M
          MagikMark
          last edited by MagikMark

          Awesome! A developer that interact with the users. Very Nice!

          I noticed when I was testting Snort Package, It could only run up to 250Mbps while Suricata when configured for performance, I could fully saturate my speed up to 700Mbps. Is there something I missed out in Snort? I can't see any perfromance tweak in its settings.

          I'm using the same rules and configuration

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @MagikMark
            last edited by

            @MagikMark said in Suricata Error Codes:

            Awesome! A developer that interact with the users. Very Nice!

            I noticed when I was testting Snort Package, It could only run up to 250Mbps while Suricata when configured for performance, I could fully saturate my speed up to 700Mbps. Is there something I missed out in Snort? I can't see any perfromance tweak in its settings.

            Snort on pfSense is the 2.9.x binary version which is single-threaded. Suricata is a multithreaded binary application and thus capable of much higher throughput.

            1 Reply Last reply Reply Quote 0
            • M
              MagikMark
              last edited by

              Thank you! This explains it

              1 Reply Last reply Reply Quote 0
              • First post
                Last post