Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort or Suricata which one is better?

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 5 Posters 16.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timlak
      last edited by

      I'm new to pfSense, I need to evaluate IDS and IPS packages
      before purchasing SG 2100
      For IDS and IPS, I read that I need to install Snort or Suricata.
      I wonder which one is the best, so that I just use one only for
      the SG 2100 I'm contemplating of purchasing.

      Any comments or help on this issue is much appreciated.

      noplanN J 2 Replies Last reply Reply Quote 0
      • noplanN
        noplan @timlak
        last edited by

        @tim-lakinir

        Personally I go with surricata but not always
        Most of the time I run Pfblocker and a bunch of rules...

        Works pretty well

        BrNp

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by bmeeks

          There is no "best". They both do essentially the same thing. There are only a few feature differences between them. Snort offers the OpenAppID layer 7 DPI feature. That works mostly by examining header stuff in packets. It can't peer into fully encrypted payloads, but is still useful for detecting certain kinds of traffic such as social media, streaming, torrents, etc., and alerting on it.

          Suricata lacks a layer 7 DPI feature, but offers quite extensive logging via its EVE JSON log options. Suricata also has a number of specialized protocol parsers that Snort currently lacks.

          Lastly, the biggest difference in the two packages is that Snort is single-threaded while Suricata is multithreaded. In some cases, with very high traffic loads composed of multiple different flows, Suricata will have a throughput performance edge. But with a box like the SG-2100 this edge would be minimal. This is especially true for a home network.

          One thing to watch with the base SG-2100 model is the relatively small disk storage space available (8 GB). Packages like Snort and Suricata can generate a ton of log files that will eat up disk space. You most definitely will want to learn about and enable the Log Management features available in each package (and maybe also consider upgrading to the SG-2100 option with 32 GB of storage space).

          1 Reply Last reply Reply Quote 2
          • T
            timlak
            last edited by

            Many Thanks to both of you
            I think I'll buy the SG2100 box with the 32GB option and will have to learn about the log management

            Also, I'm living in Canada, I want to know where can I buy this SG2100 box is it from Amazon ?

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @timlak
              last edited by

              @timlak Netgate sells via shop.netgate.com. If they don't ship to Canada (??) then they sell on Amazon...IIRC it is a bit more but shipping is included.

              With deference to bmeeks, who maintains these packages for pfSense, we haven't had a problem with disk space usage as long as log rotation is enabled. I just looked at our office router and all of pfSense is using 1.8 GB. Obviously what is being logged makes a big difference too.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 1
              • J
                jc1976 @timlak
                last edited by

                @timlak

                I'm a novice as well and still going through the learning pains, however I can offer this bit of insight/experience.

                They both essentially do the same thing, however they just do it differently.

                That being said, i started out with Snort, i now been running suricata. Suricata has it's own rules and can run the snort rules as well, so you get the best of both worlds. Also, Suricata is more modern and built to take advantage of modern multi-core cpus, whereas Snort in the beginning could only run on a single thread. The latest version of Snort was re-written to take advantage of multiple cores, but how well it does it in its current incarnation, i don't know.

                Suricata also is capable of inline scanning, I don't know if Snort is at the moment.

                Hope that helps!

                bmeeksB 1 Reply Last reply Reply Quote 1
                • bmeeksB
                  bmeeks @jc1976
                  last edited by bmeeks

                  @jc1976 said in Snort or Suricata which one is better?:

                  @timlak

                  I'm a novice as well and still going through the learning pains, however I can offer this bit of insight/experience.

                  They both essentially do the same thing, however they just do it differently.

                  That being said, i started out with Snort, i now been running suricata. Suricata has it's own rules and can run the snort rules as well, so you get the best of both worlds. Also, Suricata is more modern and built to take advantage of modern multi-core cpus, whereas Snort in the beginning could only run on a single thread. The latest version of Snort was re-written to take advantage of multiple cores, but how well it does it in its current incarnation, i don't know.

                  Suricata also is capable of inline scanning, I don't know if Snort is at the moment.

                  Hope that helps!

                  Suricata can use most Snort rules, but not all. If you were to enable all of the Snort rule categories in Suricata, you would see up to a couple hundred or more fail to load and generate errors in the suricata.log file for the interface. It won't stop Suricata from starting, but it will discard those Snort rules that contain syntax Suricata does not understand.

                  Snort3 is the latest multithreaded version of Snort from upstream, but it does not yet exist as a pfSense package. So multithreaded Snort is not possible for now on pfSense.

                  The current Snort version on pfSense does indeed offer an Inline IPS Mode, the same as Suricata.

                  T 1 Reply Last reply Reply Quote 1
                  • T
                    timlak @bmeeks
                    last edited by

                    @bmeeks Thank you Sir
                    I will install Suricata as it looks good

                    1 Reply Last reply Reply Quote 0
                    • P Patch referenced this topic on
                    • P Patch referenced this topic on
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.