2 Questions on Suricata (Rules & Vs Zeek)

Ok so the first one is kind of a general question, but trying to figure out the best way forward.
Preface: Using Suricata 4.0.11 right now, moving to 5 soon. Using ET Rules only.

Say using ET Rules, is there a generally known list of noisy, or ones that are for the most part disabled/threshold. I know this is very dependant on the type of network, what is in the network, where you are getting the data from. Maybe a better question, where is the best place to get some knowledge on tuning? Would just having a sample of the data and see what is produced on a full enabled be best bet?

2nd Question: Is there somewhere to read about what is better/difference between say Suricata DNS logging and Zeek DNS logging. Or any of the other that they both kind of do. SSH, JA3, TLS, HTTP. Trying to get more knowledge on what might work best where and for what.

In ET are already quite some rules disabled. But you should try to run the whole ruleset (at least the default one) and start disabling rules. Unless you already spot some rules for protocols/traffic that you don’t expect to see.

I think you’ll find Zeek and Suricata logging to be similar but different. One or both may meet your needs – depending on what your requirements are.

Both Zeek and Suricata support a community id – meaning, if you were to run both, you could correlate the Suricata and Zeek logs using the community id value. Community ids are essentially a hash on the address tuple.