[Oisf-users] Keyword not being detected
Abhishek Sharma
abhisheksharma84 at gmail.com
Wed Jun 27 13:02:09 UTC 2012
All,
I have started using Suricata only recently and was using Snort before
that. One point on which I find this clearly better than snort is the
performance...so thumbs up on that. After doing some sort of comparison for
some time I have noticed that Suricata yields lesser alerts as compared to
snort.
Now, maybe there is something that I have messed up. I am using a very
strong machine and have configured the parameters well. So to give an
example, I am using the following rule -
alert tcp any any -> any any (msg:"testing"; content:"/neo/launch?.rand";
priority:5; sid:1;)
I am attaching the pcap on which I was running this.
When I run snort on this I get the following matches -
06/27-13:26:32.385734 [**] [1:90011:0] testing [**] [Priority: 5] {TCP}
117.199.166.249:2766 -> 106.10.170.118:80
06/27-13:26:31.663511 [**] [1:90011:0] testing [**] [Priority: 5] {TCP}
117.199.166.249:2789 -> 202.86.7.110:80
When I run Suricata on this I get the following matches -
06/27/2012-13:26:32.385734 [**] [1:90011:0] testing [**] [Classification:
(null)] [Priority: 5] {TCP} 117.199.166.249:2766 -> 106.10.170.118:80
We can see that suricata missed the second alert that snort has highlighted.
Can anyone help me as to why this is happening?
Abhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120627/61c63690/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extract.pcap
Type: application/octet-stream
Size: 170749 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120627/61c63690/attachment.obj>
More information about the Oisf-users
mailing list