[Oisf-users] Alternatives to ET Pro?

Will Metcalf william.metcalf at gmail.com
Tue Feb 9 16:41:16 UTC 2016

I'm sorry that you feel our rule quality has declined. We test rules for
perf/fp's before they go out each day on a live sensor network and with a
collection of QA pcaps. That said the straight poop is every network is a
snowflake and determining performance impact of a rule in a specific
network without a feedback loop is impossible, it's an educated guess at
best. As a PRO customer you are more than welcome to open a support ticket.
With additional info about your environment we can help try to tune the
rule with you. Alternatively you can simply disable it, or look at using
Lua to detect a multi-byte encoded xor'd executable although I doubt this
will be any cheaper perf wise. Additionally I would be weary of relying on
suri rule perf stats outside of single threaded mode during short runs to
sample rule perf. In my experience they tend to be unreliable even with the
same rules/networks across runs. Victor can correct me if I'm wrong but
afaik they are unreliable in these modes as they include lock wait time
which should level out over long runs.  BTW we have no plans to raise
prices that I'm aware of :).



On Tue, Feb 9, 2016 at 9:36 AM, Brandon Lattin <latt0050 at umn.edu> wrote:

> I'm sure some of you are aware that Proofpoint has acquired Emerging
> Threats.
> We've seen a decline (perhaps anecdotal) in rule quality - to the tune of
> a single new rule (2815810) taking 49% of total CPU time. Additionally, it
> would appear they are planning on raising prices.
> I'm curious if anyone is using an alternative to the ET Pro set.
> Thanks!
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160209/b7977335/attachment-0002.html>

More information about the Oisf-users mailing list