[Oisf-users] Considering transitioning from Snort to Suricata questions

Jeff H jeff61225 at gmail.com
Sun Feb 7 17:41:15 UTC 2016


I've been running Snort boxes for a year or so now. I'm no expert but do
feel fairly confident with it (at least in the configurations I have been
running it)

The reason I chose Snort over Suricata was because I can buy a $30 home
license for Snort VRT rules for my home lab setup and was told that
Suricata wouldn't work with all of the VRT rules, but could never get much
solid info on how many rules would be effected. Does anyone have a count or
can provide me with more info so I can try to determine how much coverage
from the VRT rules would be lost switching to Suricata?

I've also now gotten the chance to use Suricata on an AlienVault USM (I
didn't do any of the Suricata setup as it is pre configured) and am really
impressed with the eve.json logging in addition to the pcaps I would
normally get from Snort.

I looked at the suricata.yaml (suricata-debian.yaml on USM i think) and see
that eve logging is on, but pcap logging is not. In the USM web gui I do
have pcaps, is anyone familiar with USM and could tell me if these are
being generated by Suricata or another feature on USM?

I am considering looking into switching some of my Snort installs to
Suricata. Are there any guides/documentation/blog posts (official or not)
that are aimed at Snort users interested in Suricata?

I'd like to make sure that I still get pcaps for alert info and also get
the eve.json logging as well.

Thanks

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160207/cc6aacda/attachment.html>


More information about the Oisf-users mailing list