Test Case: Suricata VS Snort IDS

Поделиться
HTML-код
  • Опубликовано: 12 дек 2024

Комментарии • 23

  • @cv2010u
    @cv2010u 8 лет назад +2

    Hey Jesse, good video. Like you said there is still much to be analyzed between the two. I was wondering if suricata may have grouped any events? I am using SO distro as well and getting ready to deploy a 3 sensor production deployment. I am pretty much set on suricata because of the multithreading and I understand it is better to detect some protocols?
    I am wondering if snort sometimes adds additional events off one payload?

    • @JesseKurrus
      @JesseKurrus  8 лет назад

      Thanks Chris. So, I've also deployed multiple SO's in live environments. It appears as though Suricata is best suited for the ET ruleset, but will not fire many rules from the VRT/Talos ruleset due to its inability to process various keywords utilized in Talos rules. I've seen it both in live environments, and in labs where I've run extensive tests. What ruleset(s) are you planning to use?

    • @cv2010u
      @cv2010u 7 лет назад +1

      Hi Jesse, I am looking towards using the ET Ruleset. Do you know if the ET Ruleset fires the same or more events as VRT Talos? I know its a difficult question as the rulset costs 3k per year for a license.

    • @JesseKurrus
      @JesseKurrus  7 лет назад +1

      I never used the ET Pro ruleset, so I am not the right one to ask; however, I have used the paid version of VRT's ruleset and the free ET ruleset. It appears as though the ET ruleset releases rules at a quicker pace, while the VRT ruleset may have higher accuracy. The bottom line is they are both solid rulesets, and most people use a combination of both rulesets optimized for their environment. Hope this helps.
      By the way, please let me know how ET Pro works out for you.

  • @rfrancoi
    @rfrancoi 7 лет назад +1

    Does it make sense to have both running on the same box?

    • @JesseKurrus
      @JesseKurrus  7 лет назад

      They're not running concurrently. I reconfigured it so that one test was using Snort, and the other Suricata. The only variable being the IDS engine.

  • @Urbancorax2
    @Urbancorax2 4 года назад +1

    yep, thank you for comparing. Useful

  • @toolate6971
    @toolate6971 7 лет назад

    This is a very nice video for those that really want to know. Great POC!!!

  • @dmeg9687
    @dmeg9687 7 лет назад

    hi. i am trying to setup suricata as inline ips on an ubuntu server. all log files are working but the fast.log files show nothing even when i test it using nikto and other tools. please help

    • @JesseKurrus
      @JesseKurrus  7 лет назад

      Hello sir. Sorry, but I only really used Suricata within Security Onion. I'm not familiar with the inline IPS feature at this time.

    • @dmeg9687
      @dmeg9687 7 лет назад +1

      ok thanks for the response .

    • @demontrickster
      @demontrickster 5 лет назад

      @@dmeg9687 hi, im wanna asking about drop filemd5 in suricata. Im using suricata with inline NFQ mode but i still cant drop Md5 file. Could u help me? Sorry im not fluent in english, i hope u understand what im saying thanks. Hope hear from u soon..

  • @peterwagner9795
    @peterwagner9795 7 лет назад +2

    Nice work, thank you Jesse

  • @Barroughes
    @Barroughes 7 лет назад +1

    These videos have saved my life with my project thank you and lastly is there a command I can use to log just every event for Suricata ? On an Ubuntu machine ?

    • @JesseKurrus
      @JesseKurrus  7 лет назад

      Np. Check out Suricata's config documentation:
      In the /var/log/suricata directory, all of Suricata's output (alerts and events) will be stored.
      default-log-dir: /var/log/suricata
      Reference:
      redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

  • @luisleandronapone8169
    @luisleandronapone8169 6 лет назад +5

    "ooo-boon-two"

    • @JesseKurrus
      @JesseKurrus  6 лет назад +1

      Thanks for pointing that out Luis. I kept saying "you-boon-two" by mistake. Lol.

  • @Barroughes
    @Barroughes 7 лет назад

    how can i email you ? i need help please??

    • @JesseKurrus
      @JesseKurrus  7 лет назад +1

      Barroughes,
      Feel free to post your question here, or subscribe to my channel and send me a message through RUclips.

    • @Barroughes
      @Barroughes 7 лет назад

      would you be able to just do a short tutorial installing suricata i know too much to ask but i am lost ??

    • @JesseKurrus
      @JesseKurrus  7 лет назад +4

      Barroughes,
      This has already been done in one of my other videos. Security Onion is what I use for this and all other exercises using Snort/Suricata, and you can choose Snort or Suricata engine during configuration of SO. Check out this video of mine:
      ruclips.net/video/O5wNlI50Yss/видео.html