[Oisf-users] Discrepancies in Snort and Suricata alerts

fatema bannatwala fatema.bannatwala at gmail.com
Mon Sep 24 18:17:23 UTC 2018 

Hi Albert,

I am running Suricata in IDS mode.

Thanks,
Fatema.

On Mon, Sep 24, 2018 at 2:11 PM Albert E Whale <
Albert.Whale at it-security-inc.com> wrote:

> Hi Fatema,
>
> I’m curious, are running Suricata in IDS or IPS mode?
>
> I am experiencing significant issues with IPS on a small home office
> environment.
>
> Sent from my iPhone
>
> > On Sep 24, 2018, at 1:26 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hi All,
> >
> > I am working on getting Suricata up and running with same rulesets as we
> have for snort.
> > Hence running Suricata with both VRT open source free ruleset from Cisco
> as well as with ET-PRO rule sets from Proofpoint for suricatav4.0.4.
> >
> > When I start Suricata it gives some errors for around 200 VRT rules
> concerning Invalid_Signature/Unknown_Keyword, which make sense as they are
> not designed to be run with Suricata. But Suricata starts up correctly and
> works fine inspite of those rule errors.
> >
> > My concern is, the number of unique alerts that get triggered in Snort
> are more than the unique alerts triggered in Suricata, even though both are
> getting same traffic flow. The difference is huge, i.e. 241 unique Snort
> alerts compared to only 94 unique alerts in Suricata.
> >
> > When did an analysis, the difference is between ETPRO alerts as well as
> VRT alerts that are triggered in both. And confirmed that the sids that are
> getting triggered in snort are also enabled in suricata, but still no
> suricata alerts for those sids.
> >
> > Hence, my question is why there is this discrepancy in the alerts that
> get triggered in snort and not in suricata even when they both are seeing
> the same traffic and have same sids enabled?
> >
> > P.S My initial thought was, either it's because of capture loss in
> suricata (which is <0.1%), or maybe because of some of those incompatible
> VRT alerts that are enabled in Suricata, and it is not able to work
> correctly because of those.
> >
> > Has anyone tried this kind on config before?
> >
> > Thanks,
> > Fatema.
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180924/cddd32bc/attachment.html>

More information about the Oisf-users mailing list