IDS decisions for home network



  • I'm trying to decide whether to go with Snort or Suricata on my home network.

    One of the deciding factors is going to be rulesets. Is the Talos paid subscription worth purchasing?



  • I'm also trying to weigh the differences of Inline vs. Legacy. As per the note from @bmeeks it seems that Inline is the way to go. That would give an advantage to Suricata. I've read many posts about Suricata not being able to fully utilize the Snort Talos ruleset. What is the verdict on this?

    How is This Different Than Today and Why is It Better?
    Today, Suricata works in conjunction with the packet filter (pf) engine in the firewall to block offending traffic.  However, Suricata does not sit inline between the NIC and the firewall.  Instead, the PCAP library is used to make copies of the packets as they move from the network card to the kernel and packet filter.  Suricata examines those copies while the original packets continue on to the packet filter.  The firewall may drop them for not matching rules, but otherwise those packets are allowed through.  Suricata generally needs to examine several packets in order to determine if traffic is malicious or not.  While it is doing that with those copies of the packets, remember that the original packets are still getting through.  They have even established a "state" in the firewall's state table and will continue flow even if later Suricata wants to block them.  We call these early packets that get through "packet leakage".  If Suricata determines the traffic is malicious (matches one or more rules), then it inserts the offending IP address into the FreeBSD packet filter table called snort2c.  This is a custom table created by pfSense at boot up and is located very early in the firewall rule chain. If you have enabled the "kill states" option for Suricata, then it will also clear the state table entries for the IPs it blocks in order to terminate any flows (sessions) that may have been established by those early packets that got through while Suricata was analyzing the copies.  With inline mode, there is no packet leakage.  This greatly enhances security.



  • Don't sweat too much for just a home network.  That's not exactly a juicy target for nation-state hackers.  Either package will work fine for you.  Be aware that Inline IPS Mode with Suricata is very sensitive to having Netmap support in the NIC hardware driver.  Very few NICs work perfectly with Netmap on FreeBSD at the moment.  So depending on your hardware, Inline IPS Mode might not even work for you.  Legacy Mode Suricata will always work.

    As for rules, I pay the $30 for the annual Snort VRT subscription.  I'm still using Snort for my home network protection, but just because that's what I started with and never got around to changing even after I created the Suricata package for pfSense.  You can use a combination of the free Emerging Threats rules and the paid Snort subscription and have good security in my view.  You can also stay completely free and use the free Snort VRT rules.  You can register and use the free version, or register and pay for the subscription.  The carrot that comes with the paid subscription is you get new rules immediately upon them being released.  With the free version, you don't get new rules until they have been out for the paying folks for 30 days (in other words, the rules are 30 days old).

    Bill



  • Thanks Bill. My hardware is an APU2C4, but based on your feedback and additional research I am going to purchase the Talos ruleset and go with Snort. My pfSense is not only to defend my home network, but I am also building a lab for various things such as malware analysis. Thanks again for your wonderful contributions to the community.



  • @Heisenberg1977:

    Thanks Bill. My hardware is an APU2C4, but based on your feedback and additional research I am going to purchase the Talos ruleset and go with Snort. My pfSense is not only to defend my home network, but I am also building a lab for various things such as malware analysis. Thanks again for your wonderful contributions to the community.

    I have the APU2 & Suricata I tried inline mode but it was a bit crashy so I have it running in legacy mode the paid version of the Snort rules are excellent value I use them & its humming along great hopefully some day the Netmap support will improve for more NIC's



  • Is there an overfew of supported networkcards for inline mode?
    Using 2.4.x and FreeBSD 11, is there anything different to the old version 2.3.x?


Log in to reply