[Oisf-users] Anomaly-based vs Rule-based NIDS

Tiago Faria tiago.faria.backups at gmail.com
Wed Mar 4 19:11:06 UTC 2020

Olá Lucas,

Suricata has event_type:anomaly. Quoting from the docs:

"Events with type “anomaly” report unexpected conditions such as truncated
packets, packets with invalid values, events that render the packet invalid
for further processing or unexpected behaviors."

This could be particularly useful for sinkholes, for example. Is this the
type of detection you are looking for?


On Wed, Mar 4, 2020 at 7:02 PM Lucas Augusto Mota de Alcantara <
lama2 at cin.ufpe.br> wrote:

> Hello everyone. I'd like to know if there's any available data or piece of
> information about the popularity of Rule-Based NIDS in comparison with
> Anomaly-Based NIDS in the market.
> Does Suricata have any kind of anomaly-based detection tool or it only
> works with signatures?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200304/5baedfb4/attachment.html>

More information about the Oisf-users mailing list