[Oisf-users] Comparative test between Palo Alto and Suricata

Cooper F. Nelson cnelson at ucsd.edu
Sun Mar 22 15:43:32 UTC 2015

Hash: SHA1

On 3/21/2015 11:21 AM, David Sussens wrote:
> Palo Alto's APPID is nothing but a classification system to be-able to
> group applications and thus make blocking more absolute.  Its a great
> idea, but Snort has just launched OpenAPPID.  I am certain that Suricata
> will be able to support the same in the next few months.  Again though,
> its purely a classification system, and in many instances muddies the
> waters quite a bit.

Palo Altos include layer 3-6 firewall functionality.  So, for example,
with a PA you can allow only HTTP over port 80 and only SSL over port
443.  That is where the primary value in the product is, IMHO.

> I am not testing the firewalling functionality of the Palo Alto.  This
> is a direct comparison between the Suricata IPS engine and the Palo Alto
> IPS engine. 

That is fine, but I don't think that is a fair comparison as they are
different products.

> The results are interesting to say the least.  I will submit my findings
> in Word Doc format if that's okay, as it makes it easier for me to
> capture the pictorial type results out of Acunetix and OPENVAS. 
> The results will be in, in the next couple of days.  Will share them at
> that point.

Are you going to be testing against normal traffic as well as hostile?
The reason I ask is because on a busy network many of the EXPLOIT type
signatures have a high rate of false positives.  I personally wouldn't
trust running the entire ET subscription as drop rules.

I also don't think using Acunetix and OpenVAS in an out-of-the box
configuration is very valuable, as the ET sigs are just looking for the
User-Agent.  Change that and suricata will let it by as well, unless it
matches some other signature.

Still would be interested in seeing the results, tho!

- -Coop

> On Fri, Mar 20, 2015 at 11:47 PM, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
> Have you been able to emulate the next-generation firewall features
> (App-ID) of the Palo Alto's on suricata yet?
> This isn't a criticism as I like both products, but AFAIK suricata isn't
> a firewall.
> -Coop
> On 3/20/2015 10:38 AM, None None wrote:
>> I am currently doing a comparative side by side test between Suricata
>> and Palo Alto, and I would very much like to share the results of the
>> tests in a manner that other users can see the outcomes.
>> Palo Alto is sold to be the silver bullet of network protection,
> however
>> my experience thus far has been that Suricata decimates the Palo
> Alto I
>> am testing in terms of detection accuracy and blocking of attacks.
>> What is the best way for me to submit my findings?
>> Thank you,
>> Neo.
>> _______________________________________________
>> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list