[Oisf-users] Suricata generating fewer alerts than Snort

[Spransy, Derek]

We're currently in the process of working to move away from using load balanced Snort processes to Suricata. In my current setup I'm running the same ruleset on our existing Snort sensor and on our Suricata sensor (pulledpork configured the same, except to pull suricata rules on that box). We've got our aggregation switch configured to send the same data feed to both sensors. However, what I'm noticing is that Suricata detects significantly fewer events than Snort, not just in terms of volume of alerts but in terms of different unique signatures as well. It often seems to get stuck just alerting on the same few rules, or won't generate any alerts for hours while Snort continues to hum along. Detection rates also tend to drop the longer that Suricata is active.

I would have expected just the opposite as our Snort box is more underpowered and has a higher packet drop rate. Can anyone point me in a direction to troubleshoot? Generally our packet drops seems to be relatively low, (~2%) on the Suricata system. However, I don't know how accurate these are as sometimes Suricata reports packet drop percentages higher than 100%, which in itself seems really rather odd.

Thanks,
Derek

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151022/5ddb37bf/attachment.html>