4. Snort versus suricata

Snort versus suricata

  • G

    For those experienced members, may I ask which do you suggest is more effective on ids and ips.

    0
  • D

    For us, it was a no-brainer.  Snort, being single-threaded, just didn't have a fast enough core per interface to process our traffic.  It was only capable of analyzing, at best, 30% of our traffic.  Analysis engine drop rates were usually above 80%.  Our firewalls are dual-processor, 2.6Ghz, 10-core, hyper-threaded monsters that were mostly bored (typical load average was 3.5), but unable to do the work required.

    We switched to Suricata (which was our original plan).  Now the packet drop rates from the analyzers are consistently < .05%.  Virtually ALL of our traffic is analyzed.  Our firewalls run at <25% CPU utilization at peak times, with load averages cresting around 8.5.

    Our only gripe at this point is that we cannot run it in Inline mode due to various issues with netmap, NIC drivers, Suricata and lack of package updates.  I know that the devs are working hard to correct all of this and I look forward to the day I can chose the Inline mode of blocking.  Until then, I will carefully watch our block lists, tune our rulesets, put items in our Pass Lists, and persevere.

    Hope this helps

    0
  • C

    It helped me.  Thanks!

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy