[Oisf-users] Discrepancies in Snort and Suricata alerts

fatema bannatwala fatema.bannatwala at gmail.com
Mon Sep 24 20:18:07 UTC 2018


Hmm, don't want to start Suricata in IPS mode, as it's configured to sniff
traffic through a tap and should really be running as an IDS.
Not sure if the triggering of alerts would depend on mode though, but I
might be wrong..

On Mon, Sep 24, 2018 at 3:41 PM Albert Whale <
Albert.Whale at it-security-inc.com> wrote:

> So what happens if you start Suricata in IPS Mode?
>
> On 9/24/18 2:17 PM, fatema bannatwala wrote:
>
> Hi Albert,
>
> I am running Suricata in IDS mode.
>
> Thanks,
> Fatema.
>
> On Mon, Sep 24, 2018 at 2:11 PM Albert E Whale <
> Albert.Whale at it-security-inc.com> wrote:
>
>> Hi Fatema,
>>
>> I’m curious, are running Suricata in IDS or IPS mode?
>>
>> I am experiencing significant issues with IPS on a small home office
>> environment.
>>
>> Sent from my iPhone
>>
>> > On Sep 24, 2018, at 1:26 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>> >
>> > Hi All,
>> >
>> > I am working on getting Suricata up and running with same rulesets as
>> we have for snort.
>> > Hence running Suricata with both VRT open source free ruleset from
>> Cisco as well as with ET-PRO rule sets from Proofpoint for suricatav4.0.4.
>> >
>> > When I start Suricata it gives some errors for around 200 VRT rules
>> concerning Invalid_Signature/Unknown_Keyword, which make sense as they are
>> not designed to be run with Suricata. But Suricata starts up correctly and
>> works fine inspite of those rule errors.
>> >
>> > My concern is, the number of unique alerts that get triggered in Snort
>> are more than the unique alerts triggered in Suricata, even though both are
>> getting same traffic flow. The difference is huge, i.e. 241 unique Snort
>> alerts compared to only 94 unique alerts in Suricata.
>> >
>> > When did an analysis, the difference is between ETPRO alerts as well as
>> VRT alerts that are triggered in both. And confirmed that the sids that are
>> getting triggered in snort are also enabled in suricata, but still no
>> suricata alerts for those sids.
>> >
>> > Hence, my question is why there is this discrepancy in the alerts that
>> get triggered in snort and not in suricata even when they both are seeing
>> the same traffic and have same sids enabled?
>> >
>> > P.S My initial thought was, either it's because of capture loss in
>> suricata (which is <0.1%), or maybe because of some of those incompatible
>> VRT alerts that are enabled in Suricata, and it is not able to work
>> correctly because of those.
>> >
>> > Has anyone tried this kind on config before?
>> >
>> > Thanks,
>> > Fatema.
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> > Conference: https://suricon.net
>> > Trainings: https://suricata-ids.org/training/
>>
>>
> --
> --
>
> Albert E. Whale, CEH CHS CISA CISSP
> *President - Chief Security Officer*
> IT Security, Inc. <http://www.IT-Security-inc.com> - A Service Disabled
> Veteran Owned Company - (*SDVOSB*)
> *HUBZone Certified*
> LinkedIn <https://www.linkedin.com/in/albertwhale> Profile
>
>
> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
> Cell: 412-889-6870
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180924/bc9ba5ae/attachment.html>


More information about the Oisf-users mailing list