<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
We're currently in the process of working to move away from using load balanced Snort processes to Suricata. In my current setup I'm running the same ruleset on our existing Snort sensor and on our Suricata sensor (pulledpork configured the same, except to
pull suricata rules on that box). We've got our aggregation switch configured to send the same data feed to both sensors. However, what I'm noticing is that Suricata detects significantly fewer events than Snort, not just in terms of volume of alerts but in
terms of different unique signatures as well. It often seems to get stuck just alerting on the same few rules, or won't generate any alerts for hours while Snort continues to hum along. Detection rates also tend to drop the longer that Suricata is active.
<div><br>
</div>
<div>I would have expected just the opposite as our Snort box is more underpowered and has a higher packet drop rate. Can anyone point me in a direction to troubleshoot? Generally our packet drops seems to be relatively low, (~2%) on the Suricata system. However,
I don't know how accurate these are as sometimes Suricata reports packet drop percentages higher than 100%, which in itself seems really rather odd.
<div><br>
</div>
<div>Thanks,</div>
<div>Derek</div>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This e-mail message (including any attachments) is for the sole use of<br>
the intended recipient(s) and may contain confidential and privileged<br>
information. If the reader of this message is not the intended<br>
recipient, you are hereby notified that any dissemination, distribution<br>
or copying of this message (including any attachments) is strictly<br>
prohibited.<br>
<br>
If you have received this message in error, please contact<br>
the sender by reply e-mail message and destroy all copies of the<br>
original message (including attachments).<br>
</font>
</body>
</html>