Re: [pfSense] Snort or Suricata

Mon, 13 Jun 2016 12:13:24 -0700

With as many rules as an IDS/IPS would evaluate for each packet, it seems that a multi-threaded option would be an obvious choice, especially on modern multi-core quasi-embedded systems (e.g. Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you might become effectively CPU bound given modern uplinks and applications (e.g. captive portal, multi-lan etc), thus introducing jitter and reduced throughput. 

Is this consistent with anyone's real-world observation/testing?


On 6/13/2016 9:28 AM, Steve Yates wrote:

See if disabling the stream-events.rules ruleset helps.  The web forum had some 
references about that being incompatible with the pfSense implementation.  If 
memory serves, it's because Snort/Suricata see copies of packets not the actual 
stream so they are often processed out of order.

When I looked a while back it seemed like Snort and Suricata were similar but 
Snort was single thread and Suricata could multi-thread.

https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
http://wiki.aanval.com/wiki/Snort_vs_Suricata

--

Steve Yates
ITS, Inc.

-----Original Message-----
From: List [mailto:[email protected]] On Behalf Of Daniel Eschner
Sent: Sunday, June 12, 2016 1:57 PM
To: pfSense Support and Discussion Mailing List <[email protected]>
Subject: [pfSense] Snort or Suricata

Hi there,

i installed Snort and let it run with snort Community Rules and ET Rules.
I get ton als Fals positiv alters.

Maybe is suricata better? What are the difference?

It Seems that only the ET rules has no or veryl less fals positivs.

Cheers

Daniel
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to