What is the difference between Suricata and snort ?


  • I understand that they both IDS/IPS Daemon
    What is the difference between them ?


  • @firefox:

    I understand that they both IDS/IPS Daemon
    What is the difference between them ?

    Nothing really except two different vendors.  Snort is an open-source version of the IDS engine used by Sourcefire.  Suricata is a totally open-source effort partially funded by the U.S. Government and some private companies.  Well, technically Suricata is funded by the Open Information Security Foundation, but they get funding from the U.S. Department of Homeland Security and others.  Here is a link describing Suricata:  https://www.openinfosecfoundation.org/index.php/download-suricata.  Suricata is multi-threaded and should theoretically scale better in very high throughput networks.  However, extensive testing by the Snort guys and some independents shows there really is not much difference in the packet throughput in real-world networks between Snort and Suricata.

    In the end it comes down to personal preference.  Currently Suricata captures and logs a little bit more "context" around alerts, but Snort is catching up in this area.

    Bill