Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can Snort & Suricata exist on same installation?

    IDS/IPS
    2
    2
    2082
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AR15USR last edited by

      I currently have Snort configured and running but Im interested in checking out Suricata for a possible switch over.

      Can I install Suricata whilst already having Snort installed? Maybe just run Snort on the WAN and Suricata on the LAN for a testing period?


      2.4.5-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @AR15USR:

        I currently have Snort configured and running but Im interested in checking out Suricata for a possible switch over.

        Can I install Suricata whilst already having Snort installed? Maybe just run Snort on the WAN and Suricata on the LAN for a testing period?

        Sure, but you can't run them both in blocking mode unless you operate Suricata using the new inline IPS mode.  That's because Snort and Suricata share the same pf firewall table for storing their blocked IP addresses, so if both packages are in blocking mode (with Suricata in Legacy mode blocking) they will clash over the pf table and not play well together.

        Inline IPS mode is only supported on a few network cards, though.  If the NIC in your firewall on the interface where you want to run Suricata is not on the supported list, switching on IPS mode in Suricata will break connectivity all the way up to possibly needing a firewall reboot to fix.  So be warned!  Check your NIC compatibility first.  Look for "netmap support".  Searching Google and the FreeBSD site will help you see if the NIC hardware and associated driver on your firewall support netmap (which is used by Suricata for inline IPS mode).

        I would just leave Snort as-is and install Suricata on the other interface in IDS mode.  Do not enable blocking.  You will be able to see all the alerts Suricata generates and from that determine how you like it as compared to Snort.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post