Suricata: Snort subscription vs ETPro subscription?

  • I have zero experience with either snort subscriptions or ETPro subscriptions for Suricata. Can anyone give me a summary of the two? It is not clear to me if I need to subscribe to both or if they overlap? Snort subscription is $400/yr vs ETPro is $1000/yr. That is the extent of my knowledge on the topic.

  • Snort for home is only $30/yr, but Snort for business is more. I assume you are needing a subscription for a business.

    In terms of actual security, the rules between the two vendors are pretty much equivalent. Where things get differentiated is the support of certain rule options and keywords between Snort and Suricata.

    The short version of this is that there are a number of rule options and keywords that Snort supports but Suricata still does not. So if you use a Snort rules package on Suricata you will likely encounter some rules that Suricata will refuse to load. How many rules this is depends on which exact rules you enable. The Emerging Threats team (now part of ProofPoint) partnered with the Suricata development team several years ago, and Emerging Threats produces a rule set optimized for Suricata.

    So if you want to use Suricata, and your budget can take it, I would choose the ETPro rules subscription. If the $1000/yr is too steep, you might consider switching over to Snort instead and then use the Snort rules subscription. Obviously Snort will support all of the Snort subscription rules. You can use Snort rules on Suricata, but expect some of the rules to fail to load. Suricata will print errors for incompatible rules and log a summary in the suricata.log file for the interface. If you enables lots of rule categories, you can easily have more than 100 Snort rules that will fail to load on Suricata.