I just moved from Snort to Suricata. The reason for my move is because
Snort would die on rules update ever so often on my PfSense firewall. I
am not sure of the cause, but I was getting concerned about a false
sense of security.
I am no stating that Suricata is better than Snort. Just in my
situation, I needed to try something different.
What I could tell, without a suppress list, Suricata would create a lot
of protocol alerts and other false positives produced by SAAS,
appliances, windows updates, TLS issues. These alerts were caused by
standard (and lousy programming) of internet-connected devices at home.
Without a suppress list, if IP block were turned on, your internet
connected device would stop working. An example that was major to me
was that windows updates would cause a TLS error. Lookout for my cell
phone would be blocked, and the list goes on.
Comments
Comments powered by Disqus