Test Case: Suricata VS Snort IDS
HTML-код
- Опубликовано: 11 сен 2024
- Please check out my Udemy courses! Coupon code applied to the following links....
www.udemy.com/...
www.udemy.com/...
www.udemy.com/...
www.udemy.com/...
www.udemy.com/...
www.udemy.com/...
Description:
During this test case, I leveraged Armitage to execute a 'hail mary' attack against a Ubuntu server, while being actively monitored by Suricata or Snort IDS engines. The variable in this test is the different IDS engines, utilizing the same rulesets (VRT/Talos and ET). This was performed within Security Onion.
The results of this test conclude that several, but not all Talos rules were processed by Suricata, and a much less volume of events were triggered. Snort was able to process all rules from Talos as well as ET. This shows that Snort is likely to be the best option when choosing between Suricata and Snort engines; however, more extensive testing and analysis is needed to accurately represent the disparity between the two engines.
References:
snort.org/
suricata-ids.org/
securityonion....
rules.emerging...
yep, thank you for comparing. Useful
This is a very nice video for those that really want to know. Great POC!!!
Nice work, thank you Jesse
You're welcome, and thanks.
Hey Jesse, good video. Like you said there is still much to be analyzed between the two. I was wondering if suricata may have grouped any events? I am using SO distro as well and getting ready to deploy a 3 sensor production deployment. I am pretty much set on suricata because of the multithreading and I understand it is better to detect some protocols?
I am wondering if snort sometimes adds additional events off one payload?
Thanks Chris. So, I've also deployed multiple SO's in live environments. It appears as though Suricata is best suited for the ET ruleset, but will not fire many rules from the VRT/Talos ruleset due to its inability to process various keywords utilized in Talos rules. I've seen it both in live environments, and in labs where I've run extensive tests. What ruleset(s) are you planning to use?
Hi Jesse, I am looking towards using the ET Ruleset. Do you know if the ET Ruleset fires the same or more events as VRT Talos? I know its a difficult question as the rulset costs 3k per year for a license.
I never used the ET Pro ruleset, so I am not the right one to ask; however, I have used the paid version of VRT's ruleset and the free ET ruleset. It appears as though the ET ruleset releases rules at a quicker pace, while the VRT ruleset may have higher accuracy. The bottom line is they are both solid rulesets, and most people use a combination of both rulesets optimized for their environment. Hope this helps.
By the way, please let me know how ET Pro works out for you.
Does it make sense to have both running on the same box?
They're not running concurrently. I reconfigured it so that one test was using Snort, and the other Suricata. The only variable being the IDS engine.
These videos have saved my life with my project thank you and lastly is there a command I can use to log just every event for Suricata ? On an Ubuntu machine ?
Np. Check out Suricata's config documentation:
In the /var/log/suricata directory, all of Suricata's output (alerts and events) will be stored.
default-log-dir: /var/log/suricata
Reference:
redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
"ooo-boon-two"
Thanks for pointing that out Luis. I kept saying "you-boon-two" by mistake. Lol.
hi. i am trying to setup suricata as inline ips on an ubuntu server. all log files are working but the fast.log files show nothing even when i test it using nikto and other tools. please help
Hello sir. Sorry, but I only really used Suricata within Security Onion. I'm not familiar with the inline IPS feature at this time.
ok thanks for the response .
@@dmeg9687 hi, im wanna asking about drop filemd5 in suricata. Im using suricata with inline NFQ mode but i still cant drop Md5 file. Could u help me? Sorry im not fluent in english, i hope u understand what im saying thanks. Hope hear from u soon..
how can i email you ? i need help please??
Barroughes,
Feel free to post your question here, or subscribe to my channel and send me a message through RUclips.
would you be able to just do a short tutorial installing suricata i know too much to ask but i am lost ??
Barroughes,
This has already been done in one of my other videos. Security Onion is what I use for this and all other exercises using Snort/Suricata, and you can choose Snort or Suricata engine during configuration of SO. Check out this video of mine:
ruclips.net/video/O5wNlI50Yss/видео.html