Suricata default rules

Hello folks,

I’m working on migrating our servers from snort to Suricata and there are a couple of things not clear to me.

  1. SID used in snort are equivalent to Suricata ones? I assume so but I cannot find this info anywhere to confirm.
  2. Snort has its own single “premium ruleset” (e.g. snortrules-snapshot-2983.tar.gz) while Suricata comes with several sources enabled be default, do they provide equivalent coverage? Any hint on how could I confirm that or investigate in that direction?

Thanks in advance


  1. SIDs are supposed to be unique identifiers for each rule in Suricata just like Snort. I am not aware of any ruleset using the same SID ranges as the Snort rules so there should not be any collisions. Not really sure what kind of answer you are looking for.

  2. The Suricata developers do not create their own extensive ruleset as Cisco does with Snort. There are however as you have noticed yourself multiple third party paid and free ruleset providers.
    The rules are of course not identical to the ones provided by Cisco so I guess the coverage will technically never be identical. I guess you will just have to evaluate rule sources and deem if they are “good enough”, just like you would have had to do with the Snort ruleset. I am not familiar enough with the snort ruleset to make an comparison myself.

Thanks a lot for your reply, much appreciated. Your answer pretty much cover my initial concern.

I’m digging more into it to get a better understanding. In case it will be useful to others, I’ve found also this link that helps to map SIDs from ET.

GitHub - klingerko/nids-rule-library: Collection of various open-source an commercial rulesets for NIDS (especially for Suricata and Snort) also lists some available rulesets for Suricata,

1 Like