[Snort-users] how can improve detection of attack by snort 3

DFIRob rd.seclists at gmail.com
Wed May 30 19:55:34 EDT 2018


Can you explain what the gap in detection between snort and suricata is,
including the rulesets you have for both IDS engines? My guess is you
didn't have the ET ruleset when processing the DARPA pcaps with snort.

On Wed, May 30, 2018 at 7:17 PM bz Os via Snort-users <
snort-users at lists.snort.org> wrote:

> Thanks Joël esler for reply i am using snort comunity rules the rules used
> by snort 3 ,i dont understand jour reply can you explain plz
>
>
> Le mer. 30 mai 2018 4:50 PM, Joel Esler (jesler) <jesler at cisco.com> a
> écrit :
>
>> Why don't you use the registered rule set for 3.0 to test with?
>>
>>
>>
>> On May 30, 2018, at 6:07 AM, bz Os via Snort-users <
>> snort-users at lists.snort.org> wrote:
>>
>> hello evry one
>>    i am using snort 3 as ids i loaded snort3 comunity rules and i
>> uncommented all commented rules and i loaded this rules in the
>> configuration file ,when i run snort  3957
>> rules are loaded .
>>    i run snort against a part on darpa dataset but as results i had only
>> 3 detection (  "(http_Inspect)header line terminated by LF without a CR
>> " and  "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved
>> source address " in other hand  i runed suricata against the same pcap
>> file as rusults suricata detected a lot of attack ,
>>
>>    how can i add emerging threat to detect more attack by snort 3 or is
>> there a method for improve the detection
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>>
>> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180531/42a54ea4/attachment.html>


More information about the Snort-users mailing list