Suricata giving strange messages when enabling

[Pocket_Sevens]

I am going to admit up front that I am more of a "hobbyist" when it comes to OPNSense.  I also used pfSense for about a year before making the move to OPNsense.  So, please forgive my "noobishness" when it comes to asking questions.

I running OPNSense 19.7.2 with Suricata version 4.1.4_3.  I am running this on Google Fiber (which means the WAN has to be tagged with VLAN 2 Priority 3 - requirement from Google to have connectivity).  I have set up IPS on the WAN with the following settings:

Enabled: checked
IPS mode: checked
Promiscuous mode:  checked
Enable syslog alerts:  checked
Enable eve syslog output: checked
Pattern matcher:  Aho-Corasick
Interfaces:  WAN

I have only downloaded the abuse.sh rulesets. 

However, my console starts showing strange messages (photo attached). 

Is this something I should be worried about?  Is Suricata still working or is this showing an error? 

The only things I see in the Suricata log are:

Aug 21 09:35:11   suricata[10561]: [100224] <Notice> -- rule reload complete
Aug 21 09:35:01   suricata[10561]: [100224] <Notice> -- rule reload starting
Aug 21 09:34:47   suricata[10561]: [100224] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Aug 21 09:34:37   suricata: [100224] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Aug 21 09:34:37   suricata: [100163] <Notice> -- This is Suricata version 4.1.4 RELEASE


Thanks in advance for your help.

[ruggerio]

Thats just a warning, as of Suricata 5, things go little bit other. The warning also says how you can suppress this warning.

[hbc]

The warning also says how you can suppress this warning.

Neither in this screenshot, nor on my local system is a hint how I can supress these messages. Can you tell me how to supress it? suricata and sensei, both programs using the netmap api for traffic filtering, always create these messages on physical console when starting or stopping use of netmap.

[Pocket_Sevens]

Also, I want to know if the messages I'm seeing on my physical console (not from the Suricata log) are normal.  Or is the console trying to tell me there's a problem?

Thanks.

[ruggerio]

did not try out, thought would be enough to put this in suricata.yaml within the stats-section:

stats.decoder-events-prefix: true


tested it, doesnt work. Sorry. Checked the mentionned ticket on redmine, which also says nothing about this. Just the code in githut mentions,  that it's ignored if not true.

Code Select Expand

const char *prefix = NULL;

        if (ConfGet("stats.decoder-events-prefix", &prefix) != 1) {
            prefix = "decoder";
            SCLogWarning(SC_WARN_DEFAULT_WILL_CHANGE, "in 5.0 the default "
                    "for decoder event stats will go from "
                    "'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. "
                    "See ticket #2225. To suppress this message, "
                    "set stats.decoder-events-prefix in the yaml.");
        }
        stats_decoder_events_prefix = prefix;

[XabiX]

Any update on this, how to get rid of the warning?

When is the new Suricata supposed to come in OPNSense?