[Oisf-users] Suricata generating fewer alerts than Snort

Thu Oct 22 18:28:06 UTC 2015

Hi Cooper,

Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.

Also we are using Suricata optimized rules:
** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)

I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.

Thanks,
Derek
________________________________________
From: Cooper F. Nelson <cnelson at ucsd.edu>
Sent: Thursday, October 22, 2015 1:52 PM
To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I experienced the exact opposite effect migrating from snort to
suricata, so I think something is wrong with your deployment.

First off, have you tried the latest version of suricata using 'workers'
runmode with zero-copy/AF_PACKET mode?  Details described here:

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Make sure all NIC offloading features are disabled as per this article

> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

As a sanity check, are you sure you are using a ruleset tuned for
suricata, like this?

> https://rules.emergingthreats.net/open/suricata/

- -Coop

On 10/22/2015 10:43 AM, Spransy, Derek wrote:
> I would have expected just the opposite as our Snort box is more
> underpowered and has a higher packet drop rate. Can anyone point me in a
> direction to troubleshoot? Generally our packet drops seems to be
> relatively low, (~2%) on the Suricata system. However, I don't know how
> accurate these are as sometimes Suricata reports packet drop percentages
> higher than 100%, which in itself seems really rather odd.
>
> Thanks,
> Derek
>
> ------------------------------------------------------------------------

- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
=IRyb
-----END PGP SIGNATURE-----

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).