[Oisf-users] Suricata generating fewer alerts than Snort

Spransy, Derek dsprans at emory.edu
Thu Oct 22 18:28:06 UTC 2015

Hi Cooper,

Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.

Also we are using Suricata optimized rules:
** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)

I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.

From: Cooper F. Nelson <cnelson at ucsd.edu>
Sent: Thursday, October 22, 2015 1:52 PM
To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort

Hash: SHA1

I experienced the exact opposite effect migrating from snort to
suricata, so I think something is wrong with your deployment.

First off, have you tried the latest version of suricata using 'workers'
runmode with zero-copy/AF_PACKET mode?  Details described here:

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Make sure all NIC offloading features are disabled as per this article

> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

As a sanity check, are you sure you are using a ruleset tuned for
suricata, like this?

> https://rules.emergingthreats.net/open/suricata/

- -Coop

On 10/22/2015 10:43 AM, Spransy, Derek wrote:
> I would have expected just the opposite as our Snort box is more
> underpowered and has a higher packet drop rate. Can anyone point me in a
> direction to troubleshoot? Generally our packet drops seems to be
> relatively low, (~2%) on the Suricata system. However, I don't know how
> accurate these are as sometimes Suricata reports packet drop percentages
> higher than 100%, which in itself seems really rather odd.
> Thanks,
> Derek
> ------------------------------------------------------------------------

- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the Oisf-users mailing list