Suricata plus snort



  • I am thinking what will happen to the traffic if I used both suricata on wan and lan and also snort on wan and lan.

    Who will read the packet first? or does this situation occur on whose reading first.
    If suricata will read the packet first, will snort be able to use the same traffic to examine too and vice versa.

    I asked the question because when I use suricata and snort on lan interface, I get alert on snort (http_inspect) TOO MANY PIPELINED REQUESTS.



  • @genesislubrigas:

    I asked the question because when I use suricata and snort on lan interface, I get alert on snort (http_inspect) TOO MANY PIPELINED REQUESTS.

    That rule has nothing to do with running Snort and Suricata at the same time. You can run both Snort and Suricata at the same time on the same interfaces as long as you have enough resources and you are not using IPS mode in Snort and Legacy IPS mode in Suricata. You could however use IPS mode in Snort and inline IPS mode in Suricata, or IPS mode in only one of them. Running IPS mode in Snort and Legacy IPS mode in Suricata on the same interface would cause conflicts as they both use the same table to track blocks.

    I'm sure there are use cases for needing to run both, but its unnecessary most of the time.



  • @jeffh is correct – usually not necessary to run both packages on the same interface, but you can so long as both are not using the snort2c table at the same time.  Thus the advice to use Suricata in the new inline IPS mode if you use blocking in both packages.  When using the inline IPS mode, Suricata switches over to the Netmap API.  Be forwarned, though, that not all network drivers support Netmap yet.  If your driver is unsupported, either stuff will break outright as soon as you enable Suricata, or you can have strange side-effects with delayed or masked breakage.

    As for the HTTP_INSPECT rules in Snort, I say this with some tongue-in-cheek – they will alert on pretty much any HTPP packet these days and have become darn near worthless becaue of that IMHO.  I have disabled the majority of those rules in my system.

    Bill



  • thanks for the information jeffh and bmeeks



  • @bmeeks:

    As for the HTTP_INSPECT rules in Snort, I say this with some tongue-in-cheek – they will alert on pretty much any HTPP packet these days and have become darn near worthless becaue of that IMHO.  I have disabled the majority of those rules in my system.

    Bill

    Are you talking about LAN preprocs->Http Inspect??



  • @pfcode:

    @bmeeks:

    As for the HTTP_INSPECT rules in Snort, I say this with some tongue-in-cheek – they will alert on pretty much any HTPP packet these days and have become darn near worthless becaue of that IMHO.  I have disabled the majority of those rules in my system.

    Bill

    Are you talking about LAN preprocs->Http Inspect??

    Any of them to be honest.  A lot of them misfire (as in generate false positives and thus false blocks).  I know some of the rules might be OK, but many are either out of date or else a ton of legitimate web sites are sending out vastly screwed up HTTP traffic.  I just know that if you enable all those HTTP_INSPECT preprocessor rules you will immediately start to get alerts and subsequent blocks on a large number of mainstream and legit web sites.

    Bill


Log in to reply