Hi,<br><br>Which Suricata version are you using? git/Beta/<a href="http://1.2.1.">1.2.1.</a>..?<br><br>thanks<br><br><div class="gmail_quote">On Wed, Jun 27, 2012 at 3:02 PM, Abhishek Sharma <span dir="ltr"><<a href="mailto:abhisheksharma84@gmail.com" target="_blank">abhisheksharma84@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">All,<br><br>I have started using Suricata only recently and was using Snort before that. One point on which I find this clearly better than snort is the performance...so thumbs up on that. After doing some sort of comparison for some time I have noticed that Suricata yields lesser alerts as compared to snort.<br>
<br>Now, maybe there is something that I have messed up. I am using a very strong machine and have configured the parameters well. So to give an example, I am using the following rule -<br><br>alert tcp any any -> any any (msg:"testing"; content:"/neo/launch?.rand"; priority:5; sid:1;)<br>
<br>I am attaching the pcap on which I was running this.<br><br>When I run snort on this I get the following matches -<br><br>06/27-13:26:32.385734 [**] [1:90011:0] testing [**] [Priority: 5] {TCP} <a href="http://117.199.166.249:2766" target="_blank">117.199.166.249:2766</a> -> <a href="http://106.10.170.118:80" target="_blank">106.10.170.118:80</a><br>
06/27-13:26:31.663511 [**] [1:90011:0] testing [**] [Priority: 5] {TCP} <a href="http://117.199.166.249:2789" target="_blank">117.199.166.249:2789</a> -> <a href="http://202.86.7.110:80" target="_blank">202.86.7.110:80</a><br>
<br>When I run Suricata on this I get the following matches -<br>
<br>06/27/2012-13:26:32.385734 [**] [1:90011:0] testing [**] [Classification: (null)] [Priority: 5] {TCP} <a href="http://117.199.166.249:2766" target="_blank">117.199.166.249:2766</a> -> <a href="http://106.10.170.118:80" target="_blank">106.10.170.118:80</a><br>
<br>We can see that suricata missed the second alert that snort has highlighted.<br><br>Can anyone help me as to why this is happening?<br><br>Abhi<br>
<br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>