[Oisf-users] Keyword not being detected
Peter Manev
petermanev at gmail.com
Wed Jun 27 14:57:51 UTC 2012
Hi,
Which Suricata version are you using? git/Beta/1.2.1...?
thanks
On Wed, Jun 27, 2012 at 3:02 PM, Abhishek Sharma <abhisheksharma84 at gmail.com
> wrote:
> All,
>
> I have started using Suricata only recently and was using Snort before
> that. One point on which I find this clearly better than snort is the
> performance...so thumbs up on that. After doing some sort of comparison for
> some time I have noticed that Suricata yields lesser alerts as compared to
> snort.
>
> Now, maybe there is something that I have messed up. I am using a very
> strong machine and have configured the parameters well. So to give an
> example, I am using the following rule -
>
> alert tcp any any -> any any (msg:"testing"; content:"/neo/launch?.rand";
> priority:5; sid:1;)
>
> I am attaching the pcap on which I was running this.
>
> When I run snort on this I get the following matches -
>
> 06/27-13:26:32.385734 [**] [1:90011:0] testing [**] [Priority: 5] {TCP}
> 117.199.166.249:2766 -> 106.10.170.118:80
> 06/27-13:26:31.663511 [**] [1:90011:0] testing [**] [Priority: 5] {TCP}
> 117.199.166.249:2789 -> 202.86.7.110:80
>
> When I run Suricata on this I get the following matches -
>
> 06/27/2012-13:26:32.385734 [**] [1:90011:0] testing [**] [Classification:
> (null)] [Priority: 5] {TCP} 117.199.166.249:2766 -> 106.10.170.118:80
>
> We can see that suricata missed the second alert that snort has
> highlighted.
>
> Can anyone help me as to why this is happening?
>
> Abhi
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120627/71bf0a49/attachment-0002.html>
More information about the Oisf-users
mailing list