Sir Santhosh, I am very grateful to you for your help. According to your recommendation, I have studied about Suricata and concluded that it is a much better NIDS for use in cloud environment. It is well developed and well documented.
Well, actually, I want to detect distributed intrusions in cloud for which I would have to utilize the correlation module of aforementioned NIDS. Can you please guide me which would be the appropriate approach, like some algorithm or a set of parameters to modify the rules in Suricata. Thanking you in anticipation! Best Regards, Robert On Mon, Nov 18, 2013 at 9:58 AM, Santhosh Edukulla < santhosh.eduku...@citrix.com> wrote: > Robert, > > 1. Snort engine has its various limitations, unless we have reservations > to use it. Instead , we can go with Suricata. > > 2. Suricata is multithreaded against snort which is single threaded. > Performance is one big issue with snort. > > 3. snort works under dual license mode, controlled by its parent company > sourcefire which releases signatures after two weeks( or so ) as to > community releases and sometimes the releases and development features of > snort are as well controlled by them with no signatures for new and zero > day detections, In NIDS space, i heard that suricata has lot of support in > terms of signature development. > > 4. Snort purely works on PCRE rule parsers, the protocol state machine and > as well inline engine support for snort is relatively not advanced. It adds > lot of performance drain during its preprocessing cycle. For IPS\IDS, you > may wanted to add threat detection based not only on signatures and rules. > You may also be interested in DOS, DDOS and various other traffic profile > and behavorial aspects of IPS. It lacks in these aspects relatively. > > 5. Added with it, if you wanted to add multiple IPV6 packet processing. > Snort some times eats up the heap crazily. > > 6. Adding a new extension to snort EX: APPID detection is equally not > easy. The engine structure for suricata assumably is far better to add new > plugin addition EX: APP detection at various layers. > > 7. If you wanted to do packet processing and detection using single pass, > then snort would not be any option, not i believe it supports. State > machine for snort during session based protocols was not much supported or > may require addons to support it by default. Advanced evasions, new app > threat detection in snort EX: Evading js exploits in pdf files relatively > requires new protocol and app detection. For traditional IDS,you may wanted > to consider snort, instead i would recommend suricata. > > Thanks! > Santhosh > ________________________________________ > From: Robert Bruce [precious.king...@gmail.com] > Sent: Monday, November 18, 2013 10:18 AM > To: users@cloudstack.apache.org > Subject: Re: Distributed Intrusion Detection System in Cloud Computing > > Hello everyone! > > I want to develop a Signature Based Distributed Intrusion Detection System > (DIDS) to detect distributed intrusions in Cloud environment. > Yes, I intend to deploy it in CloudStack. > > I want to modify the correlation module to enhance detection capability > already being provided by Snort. > Can you please help me in selection of a good technique to improve > correlation module? > > Thanks and Regards, > Robert >
