[Oisf-users] Place to install Suricata

Minh Trung mvtrung27 at gmail.com
Mon Jun 1 09:33:01 UTC 2015

Hello all,

My DMZ are behind Firewall also.
So, all your points is point me to have dedicated suricata not on VMware?
In my case should i use Suricata or Snort better?
Any help is appreciated,


On 19 May 2015 at 03:07, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Hash: SHA1
> I'll agree with this.  We monitor multiple DMZ vlans and see 300k-1+
> million ET alerts per 24-hour cycle.  This makes separating the signal
> from the noise difficult.
> Ideally you would want to deploy suricata as part of a "full-stack"
> defense-in-depth deployment and have it deployed behind your
> firewall/proxy architecture.
> I understand many people want to "see everything", but at this point its
> a given that your DMZ is going to attacked 24x7.
> - -Coop
> On 5/18/2015 1:46 AM, Christophe Vandeplas wrote:
> > I would recommend to use that functionality to your advantage, and
> > eliminate a LOT of the incoming traffic/noise.
> > From my experience detecting APTs is usually done by finding outbound
> > traffic (CnC), and traffic attacking your DMZ systems (published
> > services). So the less noise the better, and the more time you can
> > spend to do manual analysis of the alerts you will be getting.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> TMDzJ1GBgn1FHKJ7PNK1jEwUQ+IE5UxlZCc49pVulyjqOSXdOi3PVvi4hpxQ9Vi1
> Gphq1AqGd5I79TEP8g0MscHJ43iQ2JdXeqfhVoJh38m+EN50FvSmZ98+53Tb29WK
> A6nCIucjcU3IUbAGK5Pwp/ErGRlytwufuKBaplB5fa/QIS1gpY5T6dXuis7ZSUAZ
> RogqmPAR0SzSYbuDG61l5OkaqKBlzptU9Z24zn/5GIG5mngyWM2JEzV5pk0mEfqi
> =QrPZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150601/b2554c71/attachment.html>

More information about the Oisf-users mailing list