[Oisf-users] Discrepancies in Snort and Suricata alerts

[fatema bannatwala]

Hi All,

I am working on getting Suricata up and running with same rulesets as we
have for snort.
Hence running Suricata with both VRT open source free ruleset from Cisco as
well as with ET-PRO rule sets from Proofpoint for suricatav4.0.4.

When I start Suricata it gives some errors for around 200 VRT rules
concerning Invalid_Signature/Unknown_Keyword, which make sense as they are
not designed to be run with Suricata. But Suricata starts up correctly and
works fine inspite of those rule errors.

My concern is, the number of unique alerts that get triggered in Snort are
more than the unique alerts triggered in Suricata, even though both are
getting same traffic flow. The difference is huge, i.e. 241 unique Snort
alerts compared to only 94 unique alerts in Suricata.

When did an analysis, the difference is between ETPRO alerts as well as VRT
alerts that are triggered in both. And confirmed that the sids that are
getting triggered in snort are also enabled in suricata, but still no
suricata alerts for those sids.

Hence, my question is why there is this discrepancy in the alerts that get
triggered in snort and not in suricata even when they both are seeing the
same traffic and have same sids enabled?

P.S My initial thought was, either it's because of capture loss in suricata
(which is <0.1%), or maybe because of some of those incompatible VRT alerts
that are enabled in Suricata, and it is not able to work correctly because
of those.

Has anyone tried this kind on config before?

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180924/477da077/attachment.html>