[Oisf-users] Suricata generating fewer alerts than Snort

Thu Oct 22 18:33:12 UTC 2015

> On 22 okt. 2015, at 20:28, Spransy, Derek <dsprans at emory.edu> wrote:
> 
> Hi Cooper,
> 
> Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.
> 
> Also we are using Suricata optimized rules:
> ** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)
> 
> I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.
> 

What is your max pending packets value (in suricata.yaml)?

> Thanks,
> Derek
> ________________________________________
> From: Cooper F. Nelson <cnelson at ucsd.edu>
> Sent: Thursday, October 22, 2015 1:52 PM
> To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I experienced the exact opposite effect migrating from snort to
> suricata, so I think something is wrong with your deployment.
> 
> First off, have you tried the latest version of suricata using 'workers'
> runmode with zero-copy/AF_PACKET mode?  Details described here:
> 
>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
> 
> Make sure all NIC offloading features are disabled as per this article
> 
>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
> 
> As a sanity check, are you sure you are using a ruleset tuned for
> suricata, like this?
> 
>> https://rules.emergingthreats.net/open/suricata/
> 
> - -Coop
> 
> 
>> On 10/22/2015 10:43 AM, Spransy, Derek wrote:
>> I would have expected just the opposite as our Snort box is more
>> underpowered and has a higher packet drop rate. Can anyone point me in a
>> direction to troubleshoot? Generally our packet drops seems to be
>> relatively low, (~2%) on the Suricata system. However, I don't know how
>> accurate these are as sometimes Suricata reports packet drop percentages
>> higher than 100%, which in itself seems really rather odd.
>> 
>> Thanks,
>> Derek
>> 
>> ------------------------------------------------------------------------
> 
> 
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
> MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
> Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
> u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
> t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
> 5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
> =IRyb
> -----END PGP SIGNATURE-----
> 
> ________________________________
> 
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> 
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net