Snort and suricata don't give the same amount of alerts
454 views
Skip to first unread message
Pedro Marques
Oct 1, 2017, 7:27:40 AM10/1/17
to security-onion
Hello,
I'm currently running tests on security onion with both snort and suricata in order to have some data to later analyse. My issue is that, whatever I do suricata always generates considerably more alerts than snort.
I'm using tcpreplay with pcaps I could find online (most of my tests are on the first pcap in this list http://www.netresec.com/?page=MACCDC), and I'm doing so on identical virtual machines, running security onion production where the only difference between them is the IDS engine.
After multiple tests, suricata averages around 40k total alerts, while snort averages ~27k. They both generate 168 unique alert signatures that differ on 21 signatures between the IDS's, but the signatures that are specific to a single IDS don't justify the difference in total alerts as they occur in small numbers.
I've tried with other pcap files and the difference is always there, with suricata generating considerably more.
Is there something I'm missing ? I've tried running snort with the best possible environment I can manage, and still I can't get the alerts to match up to those of suricata.
I'm currently running tests on security onion with both snort and suricata in order to have some data to later analyse. My issue is that, whatever I do suricata always generates considerably more alerts than snort.
I'm using tcpreplay with pcaps I could find online (most of my tests are on the first pcap in this list http://www.netresec.com/?page=MACCDC), and I'm doing so on identical virtual machines, running security onion production where the only difference between them is the IDS engine.
After multiple tests, suricata averages around 40k total alerts, while snort averages ~27k. They both generate 168 unique alert signatures that differ on 21 signatures between the IDS's, but the signatures that are specific to a single IDS don't justify the difference in total alerts as they occur in small numbers.
I've tried with other pcap files and the difference is always there, with suricata generating considerably more.
Is there something I'm missing ? I've tried running snort with the best possible environment I can manage, and still I can't get the alerts to match up to those of suricata.
Wes Lambert
Oct 2, 2017, 7:01:30 AM10/2/17
to securit...@googlegroups.com
Pedro,
Given that Snort and Suricata have a slightly different architecture, etc. you will not always get the same number of alerts for a given PCAP, etc.
Apart from standardized rulesets, Suricata doesn't utilize Shared Object rules or preprocessor rules like Snort. Instead, it uses several rule files for events set by the decoders, stream engine, HTTP parser, etc.
Also, in regard to the ruleset(s) ,the ET ruleset is more optimized for Suricata, while Snort Community/Reg/Subscriber/Talos are more optimized for Snort, so you will likely get different results when using them in different combinations, in some instances, even causing the IDS to not even load certain rules (Suricata will not load Shared Object rules from Talos rulesets, or Snort may die or throw warnings/errors from an ET Pro rule specifying an option which it doesn't understand)
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Pedro Marques
Oct 2, 2017, 1:21:53 PM10/2/17
to security-onion
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Thanks, that would explain my problem then. Although, it leaves me with a follow up question. I've also used CERT's SiLK toolset to analyse the flows to which snort alerted on vs the flows to which suricata alerted on and discovered that the same thing happens, with suricata alerting on considerably more flows than snort.
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Wouldn't it be expected that snort and suricata alert on the same flows, just in different quantities ?
Wes Lambert
Oct 2, 2017, 2:05:23 PM10/2/17
to securit...@googlegroups.com
Pedro,
What gets alerted on by each really depends on which preprocs/rule files are enabled/configured, and what rulesets are being used with each. Even using the same ruleset, you can expect to sometimes have a varying amount/type of alerts generated by each.
Thanks,
Wes
Joel Esler
Oct 2, 2017, 9:10:41 PM10/2/17
to securit...@googlegroups.com
Also Suricata’s stream engine is not the same as Snort’s and will reassemble traffic differently based upon how it is received.
Sent from my iPhone
--
jwil...@emergingthreats.net
Oct 3, 2017, 10:49:08 AM10/3/17
to security-onion
On Monday, October 2, 2017 at 6:01:30 AM UTC-5, Wes wrote:
...
Should the above happen to you at runtime, please let us (ET) know! We provide rulesets for both Suricata and Snort 2.9.x. If you were to tell Snort to loadup the Suri ruleset, this would certainly happen. It should not happen if you load up the ET ruleset that is written for snort.
...
Snort may die or throw warnings/errors from an ET Pro rule specifying an option which it doesn't understand
...
Should the above happen to you at runtime, please let us (ET) know! We provide rulesets for both Suricata and Snort 2.9.x. If you were to tell Snort to loadup the Suri ruleset, this would certainly happen. It should not happen if you load up the ET ruleset that is written for snort.
Reply all
Reply to author
Forward
0 new messages