SNORT vs Suricata Detection
-
All,
I've seen some discussion of the run-time efficiencies of Snort v Suricata and other discussions of ease of use and/or installation.
However, what I'm really interested in is there effectiveness at detecting threats.
In particular, if one primarily imports all of the open source rules (Emerging Threats, VST, etc), are there a significant number of things that Snort would find (based on those rules) that Suricata wouldn't?
Likewise, are there a significant number of things that Suricata would find that Snort wouldn't?
I understand that Suricata might error and reject a small portion of Snort rules, but is that factor significant?
Any insights would be appreciated.
-
The snort rules not loading in suricata doesn't bother me at all personally, since I don't use those rules with suricata.
It all depends on what you are trying to protect. If this is for a home installation, the only ruleset that will help will be the ET one, and both snort and suricata can use that (each their own version). If you are running a home install, then you don't have anything to worry about, with regards to incoming traffic directly, since all incoming traffic is blocked by default. If you start poking holes by port forwards (or clients reverse tunneling out) then ET snort/suricata can give that extra boost.
The snort rules (not the ET snort) I find to be a bit outdated, but that's just me.
Once you understand your network to the point that you can write your own rules, those will take over, trust me.
Of the 13K or so hosts that I once clocked, the vast majority (upwards of 80%) of those were due to custom rules. Make sure you read the snort/suricata blueprint guides in this forum, and wait for the new one to come out.
-
It depends on the threats…but
Its possible to run both on pfSense, both with ease of installation! You can run both in log mode for a few weeks and see for yourself.
I use to run Suricata with pfSense and Snort in tap, with Security Onion.
Also, look for sites that actually test threats against both ruleset, like http://www.malware-traffic-analysis.net/
F.
-
Good advice above from jflsakfja and fsansfil.
In my view it is sort of like preferring vanilla over chocolate when choosing an ice cream flavor. It is a case of personal taste.
If you have a paid Snort VRT subscription, then those rules are updated twice per week (on Tuesdays and Thursdays). The Emerging Threats Open rules (ET-Open) are updated pretty much daily, but they cover a subset of the threats that are covered by the ET-Pro (paid) rules. The ET-Pro rules are also updated daily. Currently an ET-Pro subscription is $499/year. The Snort VRT (for home use) is $29.99/year. There are free Snort rules available that only require you to register, but they are 30-days old (meaning no protection for any threats newer than 30 days).
So if you use the totally free rules from either Snort VRT or Emerging Threats, you have to accept the fact you are not protected from all of the current threats. However, as jflsakfja said, you can compensate by writing your own custom rules for either package (Snort or Suricata) if you fully understand your network and have a good grasp of the signatures for current malware threats.
In my view, neither package is necessarily "better".
Bill
