Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort versus suricata

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      genesislubrigas
      last edited by

      For those experienced members, may I ask which do you suggest is more effective on ids and ips.

      1 Reply Last reply Reply Quote 0
      • D Offline
        dhboyd26
        last edited by

        For us, it was a no-brainer.  Snort, being single-threaded, just didn't have a fast enough core per interface to process our traffic.  It was only capable of analyzing, at best, 30% of our traffic.  Analysis engine drop rates were usually above 80%.  Our firewalls are dual-processor, 2.6Ghz, 10-core, hyper-threaded monsters that were mostly bored (typical load average was 3.5), but unable to do the work required.

        We switched to Suricata (which was our original plan).  Now the packet drop rates from the analyzers are consistently < .05%.  Virtually ALL of our traffic is analyzed.  Our firewalls run at <25% CPU utilization at peak times, with load averages cresting around 8.5.

        Our only gripe at this point is that we cannot run it in Inline mode due to various issues with netmap, NIC drivers, Suricata and lack of package updates.  I know that the devs are working hard to correct all of this and I look forward to the day I can chose the Inline mode of blocking.  Until then, I will carefully watch our block lists, tune our rulesets, put items in our Pass Lists, and persevere.

        Hope this helps

        1 Reply Last reply Reply Quote 0
        • C Offline
          certifiable
          last edited by

          It helped me.  Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.