[Oisf-users] Comparative test between Palo Alto and Suricata
Cooper F. Nelson
cnelson at ucsd.edu
Sun Mar 22 15:43:32 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/21/2015 11:21 AM, David Sussens wrote:
> Palo Alto's APPID is nothing but a classification system to be-able to
> group applications and thus make blocking more absolute. Its a great
> idea, but Snort has just launched OpenAPPID. I am certain that Suricata
> will be able to support the same in the next few months. Again though,
> its purely a classification system, and in many instances muddies the
> waters quite a bit.
Palo Altos include layer 3-6 firewall functionality. So, for example,
with a PA you can allow only HTTP over port 80 and only SSL over port
443. That is where the primary value in the product is, IMHO.
> I am not testing the firewalling functionality of the Palo Alto. This
> is a direct comparison between the Suricata IPS engine and the Palo Alto
> IPS engine.
That is fine, but I don't think that is a fair comparison as they are
different products.
> The results are interesting to say the least. I will submit my findings
> in Word Doc format if that's okay, as it makes it easier for me to
> capture the pictorial type results out of Acunetix and OPENVAS.
>
> The results will be in, in the next couple of days. Will share them at
> that point.
Are you going to be testing against normal traffic as well as hostile?
The reason I ask is because on a busy network many of the EXPLOIT type
signatures have a high rate of false positives. I personally wouldn't
trust running the entire ET subscription as drop rules.
I also don't think using Acunetix and OpenVAS in an out-of-the box
configuration is very valuable, as the ET sigs are just looking for the
User-Agent. Change that and suricata will let it by as well, unless it
matches some other signature.
Still would be interested in seeing the results, tho!
- -Coop
> On Fri, Mar 20, 2015 at 11:47 PM, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
>
> Have you been able to emulate the next-generation firewall features
> (App-ID) of the Palo Alto's on suricata yet?
>
> This isn't a criticism as I like both products, but AFAIK suricata isn't
> a firewall.
>
> -Coop
>
> On 3/20/2015 10:38 AM, None None wrote:
>> I am currently doing a comparative side by side test between Suricata
>> and Palo Alto, and I would very much like to share the results of the
>> tests in a manner that other users can see the outcomes.
>
>> Palo Alto is sold to be the silver bullet of network protection,
> however
>> my experience thus far has been that Suricata decimates the Palo
> Alto I
>> am testing in terms of detection accuracy and blocking of attacks.
>
>> What is the best way for me to submit my findings?
>
>> Thank you,
>
>> Neo.
>
>
>> _______________________________________________
>> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>
>
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVDuMkAAoJEKIFRYQsa8FWCloH/0SDqGTOpCW+U/f0KufAPyTU
5TBqcUUSvd5fm0EK7ycVSmhNS7fQ96AQiAAyvIzOGnYV3Zx21vH6XQIIqIbQOJPw
Z+E2QU9xh56B/8VfI51eaSa2iIvKLfAdhVQk6EIR3aCslj0pWDJU48UwOP8UbYbY
hIdgdqmrf7RKwcDVHaLu5Wnj1UJ+rKam34y8H125SHc3WZpAz9mbyqWJvFyfmI+3
sWs40dkH7qI3w52hm8jj42v8h24eeMzNU0oCCegh3lKliyCFSqzUydkUixAQCxfi
i+MOSbzf/GSuXQk/d1WI96ITaS4zvUW7zwPQ6HTWOEL0KaR/ub7F+/p1NCuMbFA=
=vVM3
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list