snort/bro vs suricata
piet...@gmail.com
Our shop is currently using snort/bro and were told to switch from a potential 3rd party SOC.
Wes Lambert
You can switch from Snort to Suricata by following the instructions here:
Keep in mind that Snort, and Suricata are independent of each other, so you could still run Suricata with Bro or without it. You could also run Bro without Suricata or Snort -- it all depends on what you are looking for.
Snort and Suricata are both signature-based and referred to as rule-driven. This means that they use predefined rules for determining what is "good" and "bad". From here, they generate alert data to be acted upon by analysts.
Some folks prefer Suricata for larger networks with greater amounts of traffic, however, you will want to try each one to see which works best for you.
Bro is analysis-driven and policy-neutral, therefore, it makes no decisions as to "good" vs "bad, but can apply actions and make decisions based on events that are seen--this leaves most of the decision-making up to the administrator, so that he/she can make more granular decisions that suit them. It comes with it's own powerful scripting language the help achieve this. Bro provides very rich data in the form of different logs. This data can be parsed and acted upon to provide greater context around events that may occur in your network. In addition, Bro can extract files from network traffic and provide them to you for later analysis, all the while, submitting hashes to look for potential malware hits, etc.
Many folks run a combination of Bro + Suricata/Snort to get the best of both worlds.
You can find more information about the different types of information provided here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro
https://github.com/Security-Onion-Solutions/security-onion/wiki/Snort
What would be entailed in switching from snort/bro to suricata? What are pros/cons?
Our shop is currently using snort/bro and were told to switch from a potential 3rd party SOC.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
piet...@gmail.com
> What would be entailed in switching from snort/bro to suricata? What are pros/cons?
> Our shop is currently using snort/bro and were told to switch from a potential 3rd party SOC.
Thank you Wes! Super helpful info!
piet...@gmail.com
> Our shop is currently using snort/bro and were told to switch from a potential 3rd party SOC.
What would be a good way to test after switching a sensor over? Anything I can check in Squert or Elsa?
Jeff H
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Wes
> Check sudo sostat to make sure everything looks good
>
> Compare a day/week/etc. IDS alerts pre and post switch in Squert, Sguil or ELSA. As long as you're running the same rules, you should get the same results (obviously accounting for changing traffic patterns). There are some minor variances in Snort vs Suricata, but in general you should see the same alerts for the same traffic as long as you're running the same rules.
>
>
> I don't run Suricata on Security Onion, so I'm not sure if eve.json is used and if it is how its configured or if the logs are brought into ELSA, but there are options to do some protocol parsing, I'm sure I'm over simplifying things but sometimes I look at it as a sort of Bro-lite.
>
>
> On Fri, Mar 17, 2017 at 11:12 AM, <piet...@gmail.com> wrote:
> On Thursday, March 16, 2017 at 1:59:08 PM UTC-4, piet...@gmail.com wrote:
>
> > What would be entailed in switching from snort/bro to suricata? What are pros/cons?
>
> > Our shop is currently using snort/bro and were told to switch from a potential 3rd party SOC.
>
>
>
> What would be a good way to test after switching a sensor over? Anything I can check in Squert or Elsa?
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Suricata alert data should populate in ELSA, just as Snort alert data would.
You may see SURICATA-specific alerts in Sguil/Squert as well.
Thanks,
Wes