Hello all! I hope everyone in Suricata land is doing well!
For many years now, we’ve been running Suricata and attending Suricon. Over time, I’ve questioned the need to continue using Snort 2.9.X signatures and wanted other people’s opinions.
We currently use the ET (non-pro) signatures and have a subscription to Cisco Talos.
We understand that Snort 3.0 signatures are incompatible.
Snort 2.9.2 will eventually be EOL (no date has been set yet). I feel the ET vs. Talos signatures have a lot of “overlap”.
I want to get people’s opinions on this:
- Is the extra “load” on the sensor worth it? With extra load, we’re more likely to drop packets, and I’m not sure we’re getting the value from that.
- I know Suricata vs Snort signatures aren’t completely compatible. Aside from Suricata ERRORs on loading Snort rules, I feel it might be possible we have non-functional/less functional signatures being loaded. Is this hunch correct?
- With #2 in mind, we can’t use shared dynamic libraries. How does that affect Suricata’s efficiency with Snort signatures?
I’d like to hear what other people think about this topic. At my job, we discuss this issue “back and forth” every six months.
Thank you everyone!
- Champ Clark