In-line question(s) (Suricata + Snort)



  • Hello. Recently I've had a fun time messing with the rules on Suricata and it meets ALL of my needs so far however Snort's OpenAPPID features do sound appealing and, as far as I can find, they [Suricata] don't have any intention of implementing it so I wanted to run both Snort and Suricata at the same time but only enable the OpenAPPID features in Snort as Suricata already uses all the rules.

    I remember someone on this forum saying that you could run both if you put Suricata into inline mode and run Snort normally so here are my questions:

    1. Was this ever / Is this still possible to do?

    2. Would there be any compatibility issues involved (rules conflicting or the two not working with each other etc)?

    3. What network cards would I need (currently have $10 Realtek ones) to do this effectively?

    Sorry if the grammar, spelling or anything else isn't up to standard, writing this while very tired. Thanks for your time.

    John.



  • There are no problems running both in legacy mode, first off. If you want to run Suricata in inline mode, you best bet is using Intel NIC and so far it seems that only the four ports ones work seamlessly.



  • @JohnSCarter:

    Hello. Recently I've had a fun time messing with the rules on Suricata and it meets ALL of my needs so far however Snort's OpenAPPID features do sound appealing and, as far as I can find, they [Suricata] don't have any intention of implementing it so I wanted to run both Snort and Suricata at the same time but only enable the OpenAPPID features in Snort as Suricata already uses all the rules.

    I remember someone on this forum saying that you could run both if you put Suricata into inline mode and run Snort normally so here are my questions:

    1. Was this ever / Is this still possible to do?

    2. Would there be any compatibility issues involved (rules conflicting or the two not working with each other etc)?

    3. What network cards would I need (currently have $10 Realtek ones) to do this effectively?

    Sorry if the grammar, spelling or anything else isn't up to standard, writing this while very tired. Thanks for your time.

    John.

    Running both on the same interface can tax your hardware, especially on a busy network.  You should never run them together when Snort is blocking and Suricata is blocking with Legacy Mode enabled.  They both will try to share the same snort2c pf table and there can be strange issues with blocks and clearing them.  Theoretically you could run both if Suricata is using Inline IPS Mode, but running both on the same box is not recommended.

    For home network users there is really no fundamental security advantage of one versus the other.  If you want to use OpenAppID, then choose Snort.  But I really question the benefit of OpenAppID on a home connection in the first place.  What would you be worried about – seeing if someone in the household is using Facebook or Messenger?  OpenAppID is aimed primarily at the corporate IT world where acceptable computer use policies are in place (rules like "thou shalt not use Facebook on company time").

    So my suggestion is to flip a coin and if it is heads use Snort and Suricata if it is tails...  :).

    Bill



  • @bmeeks:

    @JohnSCarter:

    Hello. Recently I've had a fun time messing with the rules on Suricata and it meets ALL of my needs so far however Snort's OpenAPPID features do sound appealing and, as far as I can find, they [Suricata] don't have any intention of implementing it so I wanted to run both Snort and Suricata at the same time but only enable the OpenAPPID features in Snort as Suricata already uses all the rules.

    I remember someone on this forum saying that you could run both if you put Suricata into inline mode and run Snort normally so here are my questions:

    1. Was this ever / Is this still possible to do?

    2. Would there be any compatibility issues involved (rules conflicting or the two not working with each other etc)?

    3. What network cards would I need (currently have $10 Realtek ones) to do this effectively?

    Sorry if the grammar, spelling or anything else isn't up to standard, writing this while very tired. Thanks for your time.

    John.

    Running both on the same interface can tax your hardware, especially on a busy network.  You should never run them together when Snort is blocking and Suricata is blocking with Legacy Mode enabled.  They both will try to share the same snort2c pf table and there can be strange issues with blocks and clearing them.  Theoretically you could run both if Suricata is using Inline IPS Mode, but running both on the same box is not recommended.

    For home network users there is really no fundamental security advantage of one versus the other.  If you want to use OpenAppID, then choose Snort.  But I really question the benefit of OpenAppID on a home connection in the first place.  What would you be worried about – seeing if someone in the household is using Facebook or Messenger?  OpenAppID is aimed primarily at the corporate IT world where acceptable computer use policies are in place (rules like "thou shalt not use Facebook on company time").

    So my suggestion is to flip a coin and if it is heads use Snort and Suricata if it is tails...  :).

    Bill

    Thanks again, Bill.

    I think I've ,isunderstood how useful OpenAPPID is for security. I'll go with Suricata legacy for the time being.



  • @JohnSCarter:

    [
    Thanks again, Bill.

    I think I've ,isunderstood how useful OpenAPPID is for security. I'll go with Suricata legacy for the time being.
    [/quote]

    I don't mean to say that OpenAppID is not useful for security, but just that the usefulness in a typical home network environment is very limited.  OpenAppID is designed to detect traffic from different types of applications and alert on it.  Like my previous example stated, the most likely use for such a tool is enforcing acceptable computer use policies on a corporate network.  It would be used to identify workstations (and hence users) that were violating company policy by say using Facebook, or visiting Twitter, eBay and other such sites during working hours.  It would also be used to identify a user that may be using BitTorrent or other such PTP software to share and download files that might get the corporation itself in trouble for copyright violation.

    Knowing these types of things about your home network is less useful unless you maybe are the admin for a college frat house …  ;).

    Bill



  • @bmeeks:

    Running both on the same interface can tax your hardware, especially on a busy network.  You should never run them together when Snort is blocking and Suricata is blocking with Legacy Mode enabled.  They both will try to share the same snort2c pf table and there can be strange issues with blocks and clearing them.  Theoretically you could run both if Suricata is using Inline IPS Mode, but running both on the same box is not recommended.

    Bill

    This is interesting Bill…I am running both in legacy mode now in my home environment with no problem. My original plan was to run Suricata in inline mode; however, I discovered the dual NIC and the netmap drive issue. I have 8GB RAM though, and mostly use 39% of that.



  • @NollipfSense:

    @bmeeks:

    Running both on the same interface can tax your hardware, especially on a busy network.  You should never run them together when Snort is blocking and Suricata is blocking with Legacy Mode enabled.  They both will try to share the same snort2c pf table and there can be strange issues with blocks and clearing them.  Theoretically you could run both if Suricata is using Inline IPS Mode, but running both on the same box is not recommended.

    Bill

    This is interesting Bill…I am running both in legacy mode now in my home environment with no problem. My original plan was to run Suricata in inline mode; however, I discovered the dual NIC and the netmap drive issue. I have 8GB RAM though, and mostly use 39% of that.

    You're not seeing an issue because it is a home network (and you have 8 GB of RAM).  Try it on a large, busy corporate network or on a smaller appliance like say an SG-3100 with 2 GB or RAM and you will likely encounter issues.

    I'm not saying you can't run both or that both won't run, but it is going to tax your firewall more and it adds not much at all to the overall security.  But each to his own as they say …  :).

    Bill


Log in to reply