[Oisf-users] Suricata generating fewer alerts than Snort

Peter Manev petermanev at gmail.com
Fri Oct 23 07:32:26 UTC 2015


On Thu, Oct 22, 2015 at 8:39 PM, Spransy, Derek <dsprans at emory.edu> wrote:
> Hi Peter,
>
> It is currently set to 60,000

Hi Derek,

What is the output of -
modinfo pf_ring && cat /proc/net/pf_ring/info

How many threads do you use (per interfaces?)?


Thank you

> ________________________________________
> From: Peter Manev <petermanev at gmail.com>
> Sent: Thursday, October 22, 2015 2:33 PM
> To: Spransy, Derek
> Cc: Cooper F. Nelson; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>
>> On 22 okt. 2015, at 20:28, Spransy, Derek <dsprans at emory.edu> wrote:
>>
>> Hi Cooper,
>>
>> Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.
>>
>> Also we are using Suricata optimized rules:
>> ** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)
>>
>> I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.
>>
>
> What is your max pending packets value (in suricata.yaml)?
>
>
>> Thanks,
>> Derek
>> ________________________________________
>> From: Cooper F. Nelson <cnelson at ucsd.edu>
>> Sent: Thursday, October 22, 2015 1:52 PM
>> To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I experienced the exact opposite effect migrating from snort to
>> suricata, so I think something is wrong with your deployment.
>>
>> First off, have you tried the latest version of suricata using 'workers'
>> runmode with zero-copy/AF_PACKET mode?  Details described here:
>>
>>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
>> Make sure all NIC offloading features are disabled as per this article
>>
>>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>>
>> As a sanity check, are you sure you are using a ruleset tuned for
>> suricata, like this?
>>
>>> https://rules.emergingthreats.net/open/suricata/
>>
>> - -Coop
>>
>>
>>> On 10/22/2015 10:43 AM, Spransy, Derek wrote:
>>> I would have expected just the opposite as our Snort box is more
>>> underpowered and has a higher packet drop rate. Can anyone point me in a
>>> direction to troubleshoot? Generally our packet drops seems to be
>>> relatively low, (~2%) on the Suricata system. However, I don't know how
>>> accurate these are as sometimes Suricata reports packet drop percentages
>>> higher than 100%, which in itself seems really rather odd.
>>>
>>> Thanks,
>>> Derek
>>>
>>> ------------------------------------------------------------------------
>>
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
>> MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
>> Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
>> u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
>> t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
>> 5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
>> =IRyb
>> -----END PGP SIGNATURE-----
>>
>> ________________________________
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list