Suricata Q's & an error message



  • Dont know where to post this, but running 2.2 Beta with Snort and Suricata.

    First Q.

    Is it ok to run snort and suricata side by side on the same machine?
    I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet.

    I'm getting lots of these error messages in the system log FWIW.
    suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

    When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort?
    Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong?

    TIA</error>



  • @firewalluser:

    Dont know where to post this, but running 2.2 Beta with Snort and Suricata.

    First Q.

    Is it ok to run snort and suricata side by side on the same machine?
    I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet.

    I'm getting lots of these error messages in the system log FWIW.
    suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

    When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort?
    Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong?

    TIA</error>

    You must be running PPPoE on your WAN.  Suricata does not support PPPoE connections on FreeBSD.  Snort does.  The limitation is within the Suricata binary itself and not something caused by the GUI package on pfSense.  If you must use PPPoE, then use Snort instead of Suricata (or else don't try to run Suricata on the PPPoE interface).

    As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them).

    Bill



  • @bmeeks:

    @firewalluser:

    Dont know where to post this, but running 2.2 Beta with Snort and Suricata.

    First Q.

    Is it ok to run snort and suricata side by side on the same machine?
    I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet.

    I'm getting lots of these error messages in the system log FWIW.
    suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

    When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort?
    Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong?

    TIA</error>

    You must be running PPPoE on your WAN.  Suricata does not support PPPoE connections on FreeBSD.  Snort does.  The limitation is within the Suricata binary itself and not something caused by the GUI package on pfSense.  If you must use PPPoE, then use Snort instead of Suricata (or else don't try to run Suricata on the PPPoE interface).

    As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them).

    Bill

    You must be running PPPoE on your WAN.

    Yes I am, didnt know about the pppoe restriction.

    As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them).

    Thanks for that info, it explains a lot. I think for my uses, snort on wan and suricata and/or snort on lan is the way to go although I doubt my lan traffic will ever reach the rates that give suricata a chance to show off its capabilities over snort.