Snort or Suricata



  • HI, All

    My old home used machine (Duo Core, amd64, Max 2.6ghz) is running pfSense very well with Snort with 250/20 internet, but I'm going to build a new box using Supermicro 2558F (Quad cores, 8G ram) next month, I'm wondering whether I'm still using Snort or its the time to switch to Suricata?  Any suggestion?



  • Totally a personal preference thing.  While each IDS has its fan boys, there really is not much difference between the two in terms of performance.  Suricata can offer more detailed logging and has more tunable features, but Snort offers the new OpenAppID preprocessor and fully supports all the Snort VRT rule options and keywords.  There are some rule options and keywords in the Snort VRT rules set that Suricata cannot interpret, and thus Suricata will print a warning error for those rules and not load them.  At last count there were around 800 or more Snort VRT rules that Suricata will reject and not use.

    Suricata is currently multithreaded and Snort is currently not (but the new 3.0 ALPHA version is multithreaded).  At super high throughputs (as in 1 Gig and beyond steady-state) a multithreaded IDS can theoretically keep up better.  However, if you search Google you will find rebuttals of that from the Snort guys.

    So to summarize, neither is "better".  I would give both a try if you are curious.  The GUIs are very, very similar.  In fact, the two packages share a ton of identical PHP code so that navigation in them is for all practical purposes identical.

    Bill



  • @bmeeks:

    Totally a personal preference thing.  While each IDS has its fan boys, there really is not much difference between the two in terms of performance.  Suricata can offer more detailed logging and has more tunable features, but Snort offers the new OpenAppID preprocessor and fully supports all the Snort VRT rule options and keywords.  There are some rule options and keywords in the Snort VRT rules set that Suricata cannot interpret, and thus Suricata will print a warning error for those rules and not load them.  At last count there were around 800 or more Snort VRT rules that Suricata will reject and not use.

    Suricata is currently multithreaded and Snort is currently not (but the new 3.0 ALPHA version is multithreaded).  At super high throughputs (as in 1 Gig and beyond steady-state) a multithreaded IDS can theoretically keep up better.  However, if you search Google you will find rebuttals of that from the Snort guys.

    So to summarize, neither is "better".  I would give both a try if you are curious.  The GUIs are very, very similar.  In fact, the two packages share a ton of identical PHP code so that navigation in them is for all practical purposes identical.

    Bill

    Appreciated.  If Suricata supports less rules than Snort, Does that mean Snort is better in terms of security and protection?



  • Really well explained Bill,

    but I want to put one info on top of this, as a beginner, with very small knowledge,
    it can be more useful to go and start with snort owed to the circumstance that about
    snort are something around ~11 books are out at amazon.de/.com



  • @pfcode:

    Appreciated.  If Suricata supports less rules than Snort, Does that mean Snort is better in terms of security and protection?

    No, I don't think you can necessarily say that.  All of the Emerging Threats and Emerging Threats Pro rules work in both Suricata and Snort.  Picking rule sets is also a sort of personal preference.  Some folks use both, some use only one or the other.

    There really is no "better" between the two IDS packages.  They are just "different".  @BlueKobold does make a good point about there being more Snort beginners material in publication than currently exists for Suricata, but even that is changing quickly.

    Bill


  • Banned

    Also, lot of those unsupported rules should work with suricata 2.1.