Snort mailing list archives
Re: how can improve detection of attack by snort 3
From: DFIRob via Snort-users <snort-users () lists snort org>
Date: Thu, 31 May 2018 01:55:34 +0200
Can you explain what the gap in detection between snort and suricata is, including the rulesets you have for both IDS engines? My guess is you didn't have the ET ruleset when processing the DARPA pcaps with snort. On Wed, May 30, 2018 at 7:17 PM bz Os via Snort-users < snort-users () lists snort org> wrote:
Thanks Joël esler for reply i am using snort comunity rules the rules used by snort 3 ,i dont understand jour reply can you explain plz Le mer. 30 mai 2018 4:50 PM, Joel Esler (jesler) <jesler () cisco com> a écrit :Why don't you use the registered rule set for 3.0 to test with? On May 30, 2018, at 6:07 AM, bz Os via Snort-users < snort-users () lists snort org> wrote: hello evry one i am using snort 3 as ids i loaded snort3 comunity rules and i uncommented all commented rules and i loaded this rules in the configuration file ,when i run snort 3957 rules are loaded . i run snort against a part on darpa dataset but as results i had only 3 detection ( "(http_Inspect)header line terminated by LF without a CR " and "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved source address " in other hand i runed suricata against the same pcap file as rusults suricata detected a lot of attack , how can i add emerging threat to detect more attack by snort 3 or is there a method for improve the detection _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- how can improve detection of attack by snort 3 bz Os via Snort-users (May 30)
- Re: how can improve detection of attack by snort 3 Joel Esler (jesler) via Snort-users (May 30)
- Re: how can improve detection of attack by snort 3 bz Os via Snort-users (May 30)
- Re: how can improve detection of attack by snort 3 DFIRob via Snort-users (May 31)
- Re: how can improve detection of attack by snort 3 Joel Esler (jesler) via Snort-users (May 31)
- Re: how can improve detection of attack by snort 3 wkitty42 (May 31)
- Re: how can improve detection of attack by snort 3 bz Os via Snort-users (May 30)
- Re: how can improve detection of attack by snort 3 Joel Esler (jesler) via Snort-users (May 30)