Snort versus suricata



  • For those experienced members, may I ask which do you suggest is more effective on ids and ips.



  • For us, it was a no-brainer.  Snort, being single-threaded, just didn't have a fast enough core per interface to process our traffic.  It was only capable of analyzing, at best, 30% of our traffic.  Analysis engine drop rates were usually above 80%.  Our firewalls are dual-processor, 2.6Ghz, 10-core, hyper-threaded monsters that were mostly bored (typical load average was 3.5), but unable to do the work required.

    We switched to Suricata (which was our original plan).  Now the packet drop rates from the analyzers are consistently < .05%.  Virtually ALL of our traffic is analyzed.  Our firewalls run at <25% CPU utilization at peak times, with load averages cresting around 8.5.

    Our only gripe at this point is that we cannot run it in Inline mode due to various issues with netmap, NIC drivers, Suricata and lack of package updates.  I know that the devs are working hard to correct all of this and I look forward to the day I can chose the Inline mode of blocking.  Until then, I will carefully watch our block lists, tune our rulesets, put items in our Pass Lists, and persevere.

    Hope this helps



  • It helped me.  Thanks!


Log in to reply