Can Snort & Suricata exist on same installation?



  • I currently have Snort configured and running but Im interested in checking out Suricata for a possible switch over.

    Can I install Suricata whilst already having Snort installed? Maybe just run Snort on the WAN and Suricata on the LAN for a testing period?



  • @AR15USR:

    I currently have Snort configured and running but Im interested in checking out Suricata for a possible switch over.

    Can I install Suricata whilst already having Snort installed? Maybe just run Snort on the WAN and Suricata on the LAN for a testing period?

    Sure, but you can't run them both in blocking mode unless you operate Suricata using the new inline IPS mode.  That's because Snort and Suricata share the same pf firewall table for storing their blocked IP addresses, so if both packages are in blocking mode (with Suricata in Legacy mode blocking) they will clash over the pf table and not play well together.

    Inline IPS mode is only supported on a few network cards, though.  If the NIC in your firewall on the interface where you want to run Suricata is not on the supported list, switching on IPS mode in Suricata will break connectivity all the way up to possibly needing a firewall reboot to fix.  So be warned!  Check your NIC compatibility first.  Look for "netmap support".  Searching Google and the FreeBSD site will help you see if the NIC hardware and associated driver on your firewall support netmap (which is used by Suricata for inline IPS mode).

    I would just leave Snort as-is and install Suricata on the other interface in IDS mode.  Do not enable blocking.  You will be able to see all the alerts Suricata generates and from that determine how you like it as compared to Snort.

    Bill


Log in to reply