Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how can improve detection of attack by snort 3

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 31 May 2018 17:27:19 +0000
Probably because he's using the community ruleset, and not the registered ruleset, which was my question.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com


On May 30, 2018, at 7:55 PM, DFIRob via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort 
org>> wrote:

Can you explain what the gap in detection between snort and suricata is, including the rulesets you have for both IDS 
engines? My guess is you didn't have the ET ruleset when processing the DARPA pcaps with snort.

On Wed, May 30, 2018 at 7:17 PM bz Os via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort 
org>> wrote:
Thanks Joël esler for reply i am using snort comunity rules the rules used by snort 3 ,i dont understand jour reply can 
you explain plz


Le mer. 30 mai 2018 4:50 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> a écrit :
Why don't you use the registered rule set for 3.0 to test with?



On May 30, 2018, at 6:07 AM, bz Os via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort 
org>> wrote:

hello evry one
   i am using snort 3 as ids i loaded snort3 comunity rules and i uncommented all commented rules and i loaded this 
rules in the configuration file ,when i run snort  3957
rules are loaded .
   i run snort against a part on darpa dataset but as results i had only 3 detection (  "(http_Inspect)header line 
terminated by LF without a CR " and  "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved source address 
" in other hand  i runed suricata against the same pcap file as rusults suricata detected a lot of attack ,

   how can i add emerging threat to detect more attack by snort 3 or is there a method for improve the detection
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: