cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tuna <>
Subject Re: Distributed Intrusion Detection System in Cloud Computing
Date Thu, 21 Nov 2013 21:49:36 GMT
Hi guys,

Just take a look onto Suricata. It's very nice. I took a chance to implement Snort as another
SystemVM in CloudStack. That SystemVM worked well, but Snort was terrible. Will try with Suricata.


On Nov 21, 2013, at 23:07, Robert Bruce <> wrote:

> Sir Santhosh,
> I am very grateful to you for your help. According to your recommendation,
> I have studied about Suricata and concluded that it is a much better NIDS
> for use in cloud environment. It is well developed and well documented.
> Well, actually, I want to detect distributed intrusions in cloud for which
> I would have to utilize the correlation module of aforementioned NIDS. Can
> you please guide me which would be the appropriate approach, like some
> algorithm or a set of parameters to modify the rules in Suricata.
> Thanking you in anticipation!
> Best Regards,
> Robert
> On Mon, Nov 18, 2013 at 9:58 AM, Santhosh Edukulla <
>> wrote:
>> Robert,
>> 1. Snort engine has its various limitations, unless we have reservations
>> to use it. Instead , we can go with Suricata.
>> 2. Suricata is multithreaded against snort which is single threaded.
>> Performance is one big issue with snort.
>> 3. snort works under dual license mode, controlled by its parent company
>> sourcefire which releases signatures after two weeks( or so ) as to
>> community releases and sometimes the releases and development features of
>> snort are as well controlled by them with no signatures for new and zero
>> day detections, In NIDS space, i heard that suricata has lot of support in
>> terms of signature development.
>> 4. Snort purely works on PCRE rule parsers, the protocol state machine and
>> as well inline engine support for snort is relatively not advanced. It adds
>> lot of performance drain during its preprocessing cycle. For IPS\IDS, you
>> may wanted to add threat detection based not only on signatures and rules.
>> You may also be interested in DOS, DDOS  and various other traffic profile
>> and behavorial aspects of IPS. It lacks in these aspects relatively.
>> 5. Added with it, if you wanted to add multiple IPV6 packet processing.
>> Snort some times eats up the heap crazily.
>> 6. Adding a new extension to snort EX: APPID detection is equally not
>> easy. The engine structure for suricata assumably is far better to add new
>> plugin addition EX: APP detection at various layers.
>> 7. If you wanted to do packet processing and detection using single pass,
>> then snort would not be any option, not i believe it supports. State
>> machine for snort during session based protocols was not much supported or
>> may require addons to support it by default. Advanced evasions, new app
>> threat detection in snort EX: Evading js exploits in pdf files relatively
>> requires new protocol and app detection. For traditional IDS,you may wanted
>> to consider snort, instead i would recommend suricata.
>> Thanks!
>> Santhosh
>> ________________________________________
>> From: Robert Bruce []
>> Sent: Monday, November 18, 2013 10:18 AM
>> To:
>> Subject: Re: Distributed Intrusion Detection System in Cloud Computing
>> Hello everyone!
>> I want to develop a Signature Based Distributed Intrusion Detection System
>> (DIDS) to detect distributed intrusions in Cloud environment.
>> Yes, I intend to deploy it in CloudStack.
>> I want to modify the correlation module to enhance detection capability
>> already being provided by Snort.
>> Can you please help me in selection of a good technique to improve
>> correlation module?
>> Thanks and Regards,
>> Robert

View raw message