Snort or Suricata which one is better?

timlak

I'm new to pfSense, I need to evaluate IDS and IPS packages
before purchasing SG 2100
For IDS and IPS, I read that I need to install Snort or Suricata.
I wonder which one is the best, so that I just use one only for
the SG 2100 I'm contemplating of purchasing.

Any comments or help on this issue is much appreciated.

noplan

@tim-lakinir

Personally I go with surricata but not always
Most of the time I run Pfblocker and a bunch of rules...

Works pretty well

BrNp

bmeeks

There is no "best". They both do essentially the same thing. There are only a few feature differences between them. Snort offers the OpenAppID layer 7 DPI feature. That works mostly by examining header stuff in packets. It can't peer into fully encrypted payloads, but is still useful for detecting certain kinds of traffic such as social media, streaming, torrents, etc., and alerting on it.

Suricata lacks a layer 7 DPI feature, but offers quite extensive logging via its EVE JSON log options. Suricata also has a number of specialized protocol parsers that Snort currently lacks.

Lastly, the biggest difference in the two packages is that Snort is single-threaded while Suricata is multithreaded. In some cases, with very high traffic loads composed of multiple different flows, Suricata will have a throughput performance edge. But with a box like the SG-2100 this edge would be minimal. This is especially true for a home network.

One thing to watch with the base SG-2100 model is the relatively small disk storage space available (8 GB). Packages like Snort and Suricata can generate a ton of log files that will eat up disk space. You most definitely will want to learn about and enable the Log Management features available in each package (and maybe also consider upgrading to the SG-2100 option with 32 GB of storage space).

timlak

Many Thanks to both of you
I think I'll buy the SG2100 box with the 32GB option and will have to learn about the log management

Also, I'm living in Canada, I want to know where can I buy this SG2100 box is it from Amazon ?

SteveITS

@timlak Netgate sells via shop.netgate.com. If they don't ship to Canada (??) then they sell on Amazon...IIRC it is a bit more but shipping is included.

With deference to bmeeks, who maintains these packages for pfSense, we haven't had a problem with disk space usage as long as log rotation is enabled. I just looked at our office router and all of pfSense is using 1.8 GB. Obviously what is being logged makes a big difference too.

jc1976

@timlak

I'm a novice as well and still going through the learning pains, however I can offer this bit of insight/experience.

They both essentially do the same thing, however they just do it differently.

That being said, i started out with Snort, i now been running suricata. Suricata has it's own rules and can run the snort rules as well, so you get the best of both worlds. Also, Suricata is more modern and built to take advantage of modern multi-core cpus, whereas Snort in the beginning could only run on a single thread. The latest version of Snort was re-written to take advantage of multiple cores, but how well it does it in its current incarnation, i don't know.

Suricata also is capable of inline scanning, I don't know if Snort is at the moment.

Hope that helps!

bmeeks

@jc1976 said in Snort or Suricata which one is better?:

@timlak

I'm a novice as well and still going through the learning pains, however I can offer this bit of insight/experience.

They both essentially do the same thing, however they just do it differently.

That being said, i started out with Snort, i now been running suricata. Suricata has it's own rules and can run the snort rules as well, so you get the best of both worlds. Also, Suricata is more modern and built to take advantage of modern multi-core cpus, whereas Snort in the beginning could only run on a single thread. The latest version of Snort was re-written to take advantage of multiple cores, but how well it does it in its current incarnation, i don't know.

Suricata also is capable of inline scanning, I don't know if Snort is at the moment.

Hope that helps!

Suricata can use most Snort rules, but not all. If you were to enable all of the Snort rule categories in Suricata, you would see up to a couple hundred or more fail to load and generate errors in the suricata.log file for the interface. It won't stop Suricata from starting, but it will discard those Snort rules that contain syntax Suricata does not understand.

Snort3 is the latest multithreaded version of Snort from upstream, but it does not yet exist as a pfSense package. So multithreaded Snort is not possible for now on pfSense.

The current Snort version on pfSense does indeed offer an Inline IPS Mode, the same as Suricata.

timlak

@bmeeks Thank you Sir
I will install Suricata as it looks good