Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and Suricata at the same time

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 767 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I have a use case that I am currently running where I have both IDS packages installed. I have Suricata running with certain rule sets blocking IPs. Additionally I have the snort vrt rule set running as well.

      I have Snort running ONLY for OpenAppID. I only care about identifying applications.

      My question is , is this a valid use case for these two packages? Can they run at the same time without conflict? Is performance degradation going to be a problem.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Performance degradation will certainly be an issue. It's the same as running two anti-virus packages on the same host at the same time. Everything is double-scanned.

        The one place they are likely to collide is the use of the snort2 pf table used for Legacy Mode blocking in both packages. Probably will coexist fine, but just note that if you clear all blocks from either package, you will wind up clearing things that both packages may have placed in there.

        I'm pretty sure that if you try to run both in Inline IPS Mode on the same interface you will get a crash. I don't think the netmap device would like that setup at all.

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks ok so using two IDS in none blocking mode maybe work but not as an IPS. That makes sense. Was curious if snort just for OpenAppID use case could still be used but doesn’t seem like it. Ok fair enough

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.