[Snort-users] how can improve detection of attack by snort 3

Joel Esler (jesler) jesler at cisco.com
Thu May 31 13:27:19 EDT 2018


Probably because he's using the community ruleset, and not the registered ruleset, which was my question.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com


On May 30, 2018, at 7:55 PM, DFIRob via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:

Can you explain what the gap in detection between snort and suricata is, including the rulesets you have for both IDS engines? My guess is you didn't have the ET ruleset when processing the DARPA pcaps with snort.

On Wed, May 30, 2018 at 7:17 PM bz Os via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:
Thanks Joël esler for reply i am using snort comunity rules the rules used by snort 3 ,i dont understand jour reply can you explain plz


Le mer. 30 mai 2018 4:50 PM, Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> a écrit :
Why don't you use the registered rule set for 3.0 to test with?



On May 30, 2018, at 6:07 AM, bz Os via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:

hello evry one
   i am using snort 3 as ids i loaded snort3 comunity rules and i uncommented all commented rules and i loaded this rules in the configuration file ,when i run snort  3957
rules are loaded .
   i run snort against a part on darpa dataset but as results i had only 3 detection (  "(http_Inspect)header line terminated by LF without a CR " and  "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved source address " in other hand  i runed suricata against the same pcap file as rusults suricata detected a lot of attack ,

   how can i add emerging threat to detect more attack by snort 3 or is there a method for improve the detection
_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180531/3c320dbf/attachment.html>


More information about the Snort-users mailing list