[Oisf-users] Discrepancies in Snort and Suricata alerts

fatema bannatwala fatema.bannatwala at gmail.com
Wed Oct 3 21:06:26 UTC 2018

Hi David,

Yes, the Snort, Suri and Bro sensors all get the exact same traffic
mirrored through Gigamon ports.
All of them run on IDS mode, hence they don't do any shunting of traffic
All blacklisted IPs traffic get blocked on the border and don't even reach
the Gigamon ports.

Also, the variables (HOME_NET, EXTERNAL_NET) are set correctly in suricata
conf, have compared snort conf and suri conf multiple times to find
anything, but it seems to be correct.

Also, confirmed that there was no capture loss in suri during that time
when the snort alerts triggered. So even capture loss is out of picture.

I will keep looking into possible cause, but I am inclined towards assuming
that the Suricata's application level decoding and rules based on app
protocol detection could be something that I should look more into.  I will
update if I find anything.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181003/4cd05f1a/attachment.html>

More information about the Oisf-users mailing list