Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort versus suricata

    IDS/IPS
    3
    3
    2870
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      genesislubrigas last edited by

      For those experienced members, may I ask which do you suggest is more effective on ids and ips.

      1 Reply Last reply Reply Quote 0
      • D
        dhboyd26 last edited by

        For us, it was a no-brainer.  Snort, being single-threaded, just didn't have a fast enough core per interface to process our traffic.  It was only capable of analyzing, at best, 30% of our traffic.  Analysis engine drop rates were usually above 80%.  Our firewalls are dual-processor, 2.6Ghz, 10-core, hyper-threaded monsters that were mostly bored (typical load average was 3.5), but unable to do the work required.

        We switched to Suricata (which was our original plan).  Now the packet drop rates from the analyzers are consistently < .05%.  Virtually ALL of our traffic is analyzed.  Our firewalls run at <25% CPU utilization at peak times, with load averages cresting around 8.5.

        Our only gripe at this point is that we cannot run it in Inline mode due to various issues with netmap, NIC drivers, Suricata and lack of package updates.  I know that the devs are working hard to correct all of this and I look forward to the day I can chose the Inline mode of blocking.  Until then, I will carefully watch our block lists, tune our rulesets, put items in our Pass Lists, and persevere.

        Hope this helps

        1 Reply Last reply Reply Quote 0
        • C
          certifiable last edited by

          It helped me.  Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post