[Oisf-users] Discrepancies in Snort and Suricata alerts

Mon Sep 24 19:39:08 UTC 2018

So what happens if you start Suricata in IPS Mode?

On 9/24/18 2:17 PM, fatema bannatwala wrote:
> Hi Albert,
>
> I am running Suricata in IDS mode.
>
> Thanks,
> Fatema.
>
> On Mon, Sep 24, 2018 at 2:11 PM Albert E Whale 
> <Albert.Whale at it-security-inc.com 
> <mailto:Albert.Whale at it-security-inc.com>> wrote:
>
>     Hi Fatema,
>
>     I’m curious, are running Suricata in IDS or IPS mode?
>
>     I am experiencing significant issues with IPS on a small home
>     office environment.
>
>     Sent from my iPhone
>
>     > On Sep 24, 2018, at 1:26 PM, fatema bannatwala
>     <fatema.bannatwala at gmail.com <mailto:fatema.bannatwala at gmail.com>>
>     wrote:
>     >
>     > Hi All,
>     >
>     > I am working on getting Suricata up and running with same
>     rulesets as we have for snort.
>     > Hence running Suricata with both VRT open source free ruleset
>     from Cisco as well as with ET-PRO rule sets from Proofpoint for
>     suricatav4.0.4.
>     >
>     > When I start Suricata it gives some errors for around 200 VRT
>     rules concerning Invalid_Signature/Unknown_Keyword, which make
>     sense as they are not designed to be run with Suricata. But
>     Suricata starts up correctly and works fine inspite of those rule
>     errors.
>     >
>     > My concern is, the number of unique alerts that get triggered in
>     Snort are more than the unique alerts triggered in Suricata, even
>     though both are getting same traffic flow. The difference is huge,
>     i.e. 241 unique Snort alerts compared to only 94 unique alerts in
>     Suricata.
>     >
>     > When did an analysis, the difference is between ETPRO alerts as
>     well as VRT alerts that are triggered in both. And confirmed that
>     the sids that are getting triggered in snort are also enabled in
>     suricata, but still no suricata alerts for those sids.
>     >
>     > Hence, my question is why there is this discrepancy in the
>     alerts that get triggered in snort and not in suricata even when
>     they both are seeing the same traffic and have same sids enabled?
>     >
>     > P.S My initial thought was, either it's because of capture loss
>     in suricata (which is <0.1%), or maybe because of some of those
>     incompatible VRT alerts that are enabled in Suricata, and it is
>     not able to work correctly because of those.
>     >
>     > Has anyone tried this kind on config before?
>     >
>     > Thanks,
>     > Fatema.
>     >
>     >
>     > _______________________________________________
>     > Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     > Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     > List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >
>     > Conference: https://suricon.net
>     > Trainings: https://suricata-ids.org/training/
>

-- 
--

Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Security Officer*
IT Security, Inc. <http://www.IT-Security-inc.com> - A Service Disabled 
Veteran Owned Company - (*SDVOSB*)
*HUBZone Certified*
LinkedIn <https://www.linkedin.com/in/albertwhale> Profile

Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
Cell: 412-889-6870

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180924/5c63aebf/attachment-0001.html>