[Oisf-users] Anomaly-based vs Rule-based NIDS

Cooper F. Nelson cnelson at ucsd.edu
Wed Mar 4 19:37:32 UTC 2020

It depends on how you define 'anomaly' and whether or not you can 
express that in the suricata rule language.

You can write rules to detect protocol anomalies using keywords. Like 
'!tls' against TCP port 443 traffic.

There are also rulesets to detect anomalies within protocols:


I periodically discuss this in presentations, if you build a 'zero 
trust' network and define authorized servers, ports and protocols you 
can then write rules to alert against any traffic that doesn't match that.


On 3/4/2020 11:02 AM, Lucas Augusto Mota de Alcantara wrote:
> Hello everyone. I'd like to know if there's any available data or 
> piece of information about the popularity of Rule-Based NIDS in 
> comparison with Anomaly-Based NIDS in the market.
> Does Suricata have any kind of anomaly-based detection tool or it only 
> works with signatures?

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list