Snort versus suricata

IDS/IPS
Log in to reply
  • G

    For those experienced members, may I ask which do you suggest is more effective on ids and ips.

    0
  • D

    For us, it was a no-brainer.  Snort, being single-threaded, just didn't have a fast enough core per interface to process our traffic.  It was only capable of analyzing, at best, 30% of our traffic.  Analysis engine drop rates were usually above 80%.  Our firewalls are dual-processor, 2.6Ghz, 10-core, hyper-threaded monsters that were mostly bored (typical load average was 3.5), but unable to do the work required.

    We switched to Suricata (which was our original plan).  Now the packet drop rates from the analyzers are consistently < .05%.  Virtually ALL of our traffic is analyzed.  Our firewalls run at <25% CPU utilization at peak times, with load averages cresting around 8.5.

    Our only gripe at this point is that we cannot run it in Inline mode due to various issues with netmap, NIC drivers, Suricata and lack of package updates.  I know that the devs are working hard to correct all of this and I look forward to the day I can chose the Inline mode of blocking.  Until then, I will carefully watch our block lists, tune our rulesets, put items in our Pass Lists, and persevere.

    Hope this helps

    0
  • C

    It helped me.  Thanks!

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy