[Oisf-users] Suricata generating fewer alerts than Snort

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I experienced the exact opposite effect migrating from snort to
suricata, so I think something is wrong with your deployment.

First off, have you tried the latest version of suricata using 'workers'
runmode with zero-copy/AF_PACKET mode?  Details described here:

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Make sure all NIC offloading features are disabled as per this article

> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

As a sanity check, are you sure you are using a ruleset tuned for
suricata, like this?

> https://rules.emergingthreats.net/open/suricata/

- -Coop


On 10/22/2015 10:43 AM, Spransy, Derek wrote:
> I would have expected just the opposite as our Snort box is more
> underpowered and has a higher packet drop rate. Can anyone point me in a
> direction to troubleshoot? Generally our packet drops seems to be
> relatively low, (~2%) on the Suricata system. However, I don't know how
> accurate these are as sometimes Suricata reports packet drop percentages
> higher than 100%, which in itself seems really rather odd.
> 
> Thanks,
> Derek
> 
> ------------------------------------------------------------------------


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
=IRyb
-----END PGP SIGNATURE-----