suricata/snort/etpro rules - how to be?



  • Hello!
    I use the latest version suricata. I would like to expand the set of rules.

    1. Snort has two subscription options: $ 30 and $ 400.
      What is the difference in the rules between two subscriptions?
    2. Does it make sense to apply the rules from etpro, if I purchased a snort subscription.

    p.s. Normal user.



  • @Shazams said in suricata/snort/etpro rules - how to be?:

    Hello!
    I use the latest version suricata. I would like to expand the set of rules.

    1. Snort has two subscription options: $ 30 and $ 400. What is the difference in the rules between two subscriptions?

    I have to give you the smart alec answer first ... LOL. The difference is $370 ... ☺ .
    Okay, now that I've had my fun for the day, the real answer is there is no difference. The Snort team just has a different rate structure for private (as in individuals) versus commercial (business) users. Read the fine print on their licensing site. If you are purchasing a Snort subscription for a business, you should pay the higher rate. A pricing structure such as this is not too uncommon. Microsoft had something similar for students versus other users for their Office products.

    @Shazams said in suricata/snort/etpro rules - how to be?:>

    1. Does it make sense to apply the rules from etpro, if I purchased a snort subscription.

    p.s. Normal user.

    Unless you are Jeff Bezos or Bill Gates and just flush with cash, I think you will find an ET-Pro subscription fairly expensive (as in $2369.99 per year). That is way too rich for my wallet as an individual user. So in my case, and it's the same for the majority of users here, I would choose Snort over ET-Pro. Nothing wrong with using Snort and the free ET-Open rules, though.

    If I were the firewall admin for a larger business, and I had the budget, I would opt for the ET-Pro rules and use them along with Snort. It can never hurt to have multiple eyes looking out for trouble, or in this case multiple signatures.


Log in to reply