snort vs suricata for the latter half of 2021.
-
I've looked all over the web for the most recent comparisons between the two and they all seem pretty irrelevant now since Snort is now has been rebuilt from the ground-up and is multithreaded, etc..
so I was wondering what folks opinions are? since snort has been rebuilt into a modern ids/ips, how do you think it compares to suricata?
Anyone have any real-world testing examples?
-
-
@patch yeah, i know about that thread, i responded to it when it was first started. However, it's been a long time and i was wondering if there have been any updates from the pros.. I'm far from being a pro and i was just responding to another newby from my own limited experience.
from reading up on the newer version of snort, they've now rebuilt it from the ground, up and so it does support multithreading and since they've cut down the code base and fine-tuned it, it should be considerably more performant than the previous single-threaded version(s), and i'm wondering if anyone has experience with it since the overhaul.
-
In terms of protocol decoders and logging options, Suricata wins hands down. The one feature Snort has that Suricata lacks is the OpenAppID Layer 7 capability. But that feature is really only of use in certain business environments where there is a desire to either prohibit, or severely limit, social media and streaming content access for employees during working hours. OpenAppID really has no valid application in home networks the way I see it.
The threading features net out a wash (or dead heat, if you prefer). But don't put too much faith in multithreading itself when talking about network traffic. There is the reality that a given flow must be processed by the same thread. And to really take advantage of threading with multiple flows, you need an OS stack and NIC driver combination that is very good at implementing RSS in order to actually spread the traffic load over available CPU cores. Having a multithreaded application is only the beginning of what is required to actually realize substantial performance boosts.
Any IDS/IPS package is really running on borrowed time in terms of the future unless you are willing to implement a full man-in-the-middle scheme to break the end-to-end encryption that is so common with all traffic these days. Even DNS traffic is becoming encrypted more and more often. Email has been encrypted for quite a long time now. And nearly 100% of web traffic is HTTPS (so encrypted as well). Without MITM, an IDS/IPS has practically zero visibility into packet payloads. The best it can do is examine the unencrypted header sections (source and destination IP addresses and ports), and maybe catch a glimpse of the initial cert info exchange between server and client to see what domain is being visited. That's pretty much how OpenAppID works. It's not actually looking at the raw data - just some header stuff.
I am not a fan of Snort3. The complete change in how you configure it sort of soured me on it because porting 2.9.x installations over to Snort3 is a large pain (I'm talking here from the point of view of auto-migrating someone's pfSense installation, for example). I also think the Snort team took way too long to get Snort3 out. I'm afraid they may have missed the boat as Suricata adoption increased during that long drought of Snort3's alpha and beta development time.
