[Oisf-users] Keyword not being detected

Abhishek Sharma abhisheksharma84 at gmail.com
Wed Jun 27 13:02:09 UTC 2012


I have started using Suricata only recently and was using Snort before
that. One point on which I find this clearly better than snort is the
performance...so thumbs up on that. After doing some sort of comparison for
some time I have noticed that Suricata yields lesser alerts as compared to

Now, maybe there is something that I have messed up. I am using a very
strong machine and have configured the parameters well. So to give an
example, I am using the following rule -

alert tcp any any -> any any  (msg:"testing"; content:"/neo/launch?.rand";
priority:5; sid:1;)

I am attaching the pcap on which I was running this.

When I run snort on this I get the following matches -

06/27-13:26:32.385734  [**] [1:90011:0] testing [**] [Priority: 5] {TCP} ->
06/27-13:26:31.663511  [**] [1:90011:0] testing [**] [Priority: 5] {TCP} ->

When I run Suricata on this I get the following matches -

06/27/2012-13:26:32.385734  [**] [1:90011:0] testing [**] [Classification:
(null)] [Priority: 5] {TCP} ->

We can see that suricata missed the second alert that snort has highlighted.

Can anyone help me as to why this is happening?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120627/61c63690/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extract.pcap
Type: application/octet-stream
Size: 170749 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120627/61c63690/attachment.obj>

More information about the Oisf-users mailing list