Hi guys, Just take a look onto Suricata. It's very nice. I took a chance to implement Snort as another SystemVM in CloudStack. That SystemVM worked well, but Snort was terrible. Will try with Suricata.
Thanks, On Nov 21, 2013, at 23:07, Robert Bruce <precious.king...@gmail.com> wrote: > Sir Santhosh, > > I am very grateful to you for your help. According to your recommendation, > I have studied about Suricata and concluded that it is a much better NIDS > for use in cloud environment. It is well developed and well documented. > > Well, actually, I want to detect distributed intrusions in cloud for which > I would have to utilize the correlation module of aforementioned NIDS. Can > you please guide me which would be the appropriate approach, like some > algorithm or a set of parameters to modify the rules in Suricata. > > Thanking you in anticipation! > > Best Regards, > Robert > > > On Mon, Nov 18, 2013 at 9:58 AM, Santhosh Edukulla < > santhosh.eduku...@citrix.com> wrote: > >> Robert, >> >> 1. Snort engine has its various limitations, unless we have reservations >> to use it. Instead , we can go with Suricata. >> >> 2. Suricata is multithreaded against snort which is single threaded. >> Performance is one big issue with snort. >> >> 3. snort works under dual license mode, controlled by its parent company >> sourcefire which releases signatures after two weeks( or so ) as to >> community releases and sometimes the releases and development features of >> snort are as well controlled by them with no signatures for new and zero >> day detections, In NIDS space, i heard that suricata has lot of support in >> terms of signature development. >> >> 4. Snort purely works on PCRE rule parsers, the protocol state machine and >> as well inline engine support for snort is relatively not advanced. It adds >> lot of performance drain during its preprocessing cycle. For IPS\IDS, you >> may wanted to add threat detection based not only on signatures and rules. >> You may also be interested in DOS, DDOS and various other traffic profile >> and behavorial aspects of IPS. It lacks in these aspects relatively. >> >> 5. Added with it, if you wanted to add multiple IPV6 packet processing. >> Snort some times eats up the heap crazily. >> >> 6. Adding a new extension to snort EX: APPID detection is equally not >> easy. The engine structure for suricata assumably is far better to add new >> plugin addition EX: APP detection at various layers. >> >> 7. If you wanted to do packet processing and detection using single pass, >> then snort would not be any option, not i believe it supports. State >> machine for snort during session based protocols was not much supported or >> may require addons to support it by default. Advanced evasions, new app >> threat detection in snort EX: Evading js exploits in pdf files relatively >> requires new protocol and app detection. For traditional IDS,you may wanted >> to consider snort, instead i would recommend suricata. >> >> Thanks! >> Santhosh >> ________________________________________ >> From: Robert Bruce [precious.king...@gmail.com] >> Sent: Monday, November 18, 2013 10:18 AM >> To: users@cloudstack.apache.org >> Subject: Re: Distributed Intrusion Detection System in Cloud Computing >> >> Hello everyone! >> >> I want to develop a Signature Based Distributed Intrusion Detection System >> (DIDS) to detect distributed intrusions in Cloud environment. >> Yes, I intend to deploy it in CloudStack. >> >> I want to modify the correlation module to enhance detection capability >> already being provided by Snort. >> Can you please help me in selection of a good technique to improve >> correlation module? >> >> Thanks and Regards, >> Robert >>
