Hey Jesse, good video. Like you said there is still much to be analyzed between the two. I was wondering if suricata may have grouped any events? I am using SO distro as well and getting ready to deploy a 3 sensor production deployment. I am pretty much set on suricata because of the multithreading and I understand it is better to detect some protocols? I am wondering if snort sometimes adds additional events off one payload?
Thanks Chris. So, I've also deployed multiple SO's in live environments. It appears as though Suricata is best suited for the ET ruleset, but will not fire many rules from the VRT/Talos ruleset due to its inability to process various keywords utilized in Talos rules. I've seen it both in live environments, and in labs where I've run extensive tests. What ruleset(s) are you planning to use?
Hi Jesse, I am looking towards using the ET Ruleset. Do you know if the ET Ruleset fires the same or more events as VRT Talos? I know its a difficult question as the rulset costs 3k per year for a license.
I never used the ET Pro ruleset, so I am not the right one to ask; however, I have used the paid version of VRT's ruleset and the free ET ruleset. It appears as though the ET ruleset releases rules at a quicker pace, while the VRT ruleset may have higher accuracy. The bottom line is they are both solid rulesets, and most people use a combination of both rulesets optimized for their environment. Hope this helps. By the way, please let me know how ET Pro works out for you.
hi. i am trying to setup suricata as inline ips on an ubuntu server. all log files are working but the fast.log files show nothing even when i test it using nikto and other tools. please help
@@dmeg9687 hi, im wanna asking about drop filemd5 in suricata. Im using suricata with inline NFQ mode but i still cant drop Md5 file. Could u help me? Sorry im not fluent in english, i hope u understand what im saying thanks. Hope hear from u soon..
These videos have saved my life with my project thank you and lastly is there a command I can use to log just every event for Suricata ? On an Ubuntu machine ?
Np. Check out Suricata's config documentation: In the /var/log/suricata directory, all of Suricata's output (alerts and events) will be stored. default-log-dir: /var/log/suricata Reference: redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
Barroughes, This has already been done in one of my other videos. Security Onion is what I use for this and all other exercises using Snort/Suricata, and you can choose Snort or Suricata engine during configuration of SO. Check out this video of mine: ruclips.net/video/O5wNlI50Yss/видео.html
Hey Jesse, good video. Like you said there is still much to be analyzed between the two. I was wondering if suricata may have grouped any events? I am using SO distro as well and getting ready to deploy a 3 sensor production deployment. I am pretty much set on suricata because of the multithreading and I understand it is better to detect some protocols?
I am wondering if snort sometimes adds additional events off one payload?
Thanks Chris. So, I've also deployed multiple SO's in live environments. It appears as though Suricata is best suited for the ET ruleset, but will not fire many rules from the VRT/Talos ruleset due to its inability to process various keywords utilized in Talos rules. I've seen it both in live environments, and in labs where I've run extensive tests. What ruleset(s) are you planning to use?
Hi Jesse, I am looking towards using the ET Ruleset. Do you know if the ET Ruleset fires the same or more events as VRT Talos? I know its a difficult question as the rulset costs 3k per year for a license.
I never used the ET Pro ruleset, so I am not the right one to ask; however, I have used the paid version of VRT's ruleset and the free ET ruleset. It appears as though the ET ruleset releases rules at a quicker pace, while the VRT ruleset may have higher accuracy. The bottom line is they are both solid rulesets, and most people use a combination of both rulesets optimized for their environment. Hope this helps.
By the way, please let me know how ET Pro works out for you.
Does it make sense to have both running on the same box?
They're not running concurrently. I reconfigured it so that one test was using Snort, and the other Suricata. The only variable being the IDS engine.
yep, thank you for comparing. Useful
This is a very nice video for those that really want to know. Great POC!!!
hi. i am trying to setup suricata as inline ips on an ubuntu server. all log files are working but the fast.log files show nothing even when i test it using nikto and other tools. please help
Hello sir. Sorry, but I only really used Suricata within Security Onion. I'm not familiar with the inline IPS feature at this time.
ok thanks for the response .
@@dmeg9687 hi, im wanna asking about drop filemd5 in suricata. Im using suricata with inline NFQ mode but i still cant drop Md5 file. Could u help me? Sorry im not fluent in english, i hope u understand what im saying thanks. Hope hear from u soon..
Nice work, thank you Jesse
You're welcome, and thanks.
These videos have saved my life with my project thank you and lastly is there a command I can use to log just every event for Suricata ? On an Ubuntu machine ?
Np. Check out Suricata's config documentation:
In the /var/log/suricata directory, all of Suricata's output (alerts and events) will be stored.
default-log-dir: /var/log/suricata
Reference:
redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
"ooo-boon-two"
Thanks for pointing that out Luis. I kept saying "you-boon-two" by mistake. Lol.
how can i email you ? i need help please??
Barroughes,
Feel free to post your question here, or subscribe to my channel and send me a message through RUclips.
would you be able to just do a short tutorial installing suricata i know too much to ask but i am lost ??
Barroughes,
This has already been done in one of my other videos. Security Onion is what I use for this and all other exercises using Snort/Suricata, and you can choose Snort or Suricata engine during configuration of SO. Check out this video of mine:
ruclips.net/video/O5wNlI50Yss/видео.html