Switch from Snort to Suricata

[Jason Canup]

Short of reloading from scratch, is there a good way to switch from Snort to Suricata?

Are there any issues I should be aware of when doing so? I'm assuming all of my work with managing alerts will still be intact (threshold.conf, autocat.conf, etc.).

[Heine Lysemose]

Hi

To switch from one IDS engine to another, https://code.google.com/p/security-onion/wiki/FAQ#I'm_currently_running_Snort.__How_do_I_switch_to_Suricata?

Regards,
Lysemose

On May 30, 2014 3:06 PM, "Jason Canup" <jca...@gmail.com> wrote:

Short of reloading from scratch, is there a good way to switch from Snort to Suricata?

Are there any issues I should be aware of when doing so?  I'm assuming all of my work with managing alerts will still be intact (threshold.conf, autocat.conf, etc.).

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[BBCan177]

Hi Jason,

Suricata will generate a lot more alerts (esp Stream Alerts) than Snort. Please read the following before switching. If you let it go and come back a day later you will have a lot of alerts to deal with.

http://taosecurity.blogspot.ca/2013/02/recovering-from-suricata-gone-wild.html

Also please note that Suricata will not load approx 6-700 of the Snort VRT Ruleset as they are incompatible.