[Oisf-users] Discrepancies in Snort and Suricata alerts
Michael Shirk
shirkdog.bsd at gmail.com
Mon Sep 24 20:28:59 UTC 2018
The issue is that the engines are different, so Snort signatures from
VRT/Talos, even ET-Pro written for the Snort detection engine are only
tested with Snort. There was a good presentation by Dave Wharton at
SuriCon 2016 about the subtle differences that can cause signatures
written for either engine to not work in the other. Digging into the
specifics of a signature that works in Snort but does not work in
Suricata may highlight a similar issue.
At least from what I have seen, similar to the issue you had with
pulledpork using a Snort signature set with a Suricata signature set,
I believe the user base selects one detection engine over the other.
The community will send emails with new detections that can end up in
the emerging threats signatures, as well as the community based Snort
rules, but specific to one of the engines.
On Mon, Sep 24, 2018 at 4:18 PM fatema bannatwala
<fatema.bannatwala at gmail.com> wrote:
>
> Hmm, don't want to start Suricata in IPS mode, as it's configured to sniff traffic through a tap and should really be running as an IDS.
> Not sure if the triggering of alerts would depend on mode though, but I might be wrong..
>
> On Mon, Sep 24, 2018 at 3:41 PM Albert Whale <Albert.Whale at it-security-inc.com> wrote:
>>
>> So what happens if you start Suricata in IPS Mode?
>>
>>
>> On 9/24/18 2:17 PM, fatema bannatwala wrote:
>>
>> Hi Albert,
>>
>> I am running Suricata in IDS mode.
>>
>> Thanks,
>> Fatema.
>>
>> On Mon, Sep 24, 2018 at 2:11 PM Albert E Whale <Albert.Whale at it-security-inc.com> wrote:
>>>
>>> Hi Fatema,
>>>
>>> I’m curious, are running Suricata in IDS or IPS mode?
>>>
>>> I am experiencing significant issues with IPS on a small home office environment.
>>>
>>> Sent from my iPhone
>>>
>>> > On Sep 24, 2018, at 1:26 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>>> >
>>> > Hi All,
>>> >
>>> > I am working on getting Suricata up and running with same rulesets as we have for snort.
>>> > Hence running Suricata with both VRT open source free ruleset from Cisco as well as with ET-PRO rule sets from Proofpoint for suricatav4.0.4.
>>> >
>>> > When I start Suricata it gives some errors for around 200 VRT rules concerning Invalid_Signature/Unknown_Keyword, which make sense as they are not designed to be run with Suricata. But Suricata starts up correctly and works fine inspite of those rule errors.
>>> >
>>> > My concern is, the number of unique alerts that get triggered in Snort are more than the unique alerts triggered in Suricata, even though both are getting same traffic flow. The difference is huge, i.e. 241 unique Snort alerts compared to only 94 unique alerts in Suricata.
>>> >
>>> > When did an analysis, the difference is between ETPRO alerts as well as VRT alerts that are triggered in both. And confirmed that the sids that are getting triggered in snort are also enabled in suricata, but still no suricata alerts for those sids.
>>> >
>>> > Hence, my question is why there is this discrepancy in the alerts that get triggered in snort and not in suricata even when they both are seeing the same traffic and have same sids enabled?
>>> >
>>> > P.S My initial thought was, either it's because of capture loss in suricata (which is <0.1%), or maybe because of some of those incompatible VRT alerts that are enabled in Suricata, and it is not able to work correctly because of those.
>>> >
>>> > Has anyone tried this kind on config before?
>>> >
>>> > Thanks,
>>> > Fatema.
>>> >
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >
>>> > Conference: https://suricon.net
>>> > Trainings: https://suricata-ids.org/training/
>>>
>>
>> --
>> --
>>
>> Albert E. Whale, CEH CHS CISA CISSP
>> President - Chief Security Officer
>> IT Security, Inc. - A Service Disabled Veteran Owned Company - (SDVOSB)
>> HUBZone Certified
>> LinkedIn Profile
>>
>>
>> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com
More information about the Oisf-users
mailing list