Snort vs Suricata



  • I've been using snort for a while but considering giving Suricata a go. Can someone give me a lamens terms comparison of either. Moreover, I'm looking at benefit vs drawbacks of either. I know how snort works but I see it get back logged a lot and I have to purge the logs and reboot to free it up. Plus pages that takes a little bit of time to load sometimes won't load at all on my installation. It should also be know that I am using a multi-core CPU and I see that Suricata will take advantage of that. So again, Can someone explain to me the real differences between the two?

    I use pfsense on my home network along with pfsense for 2 reasons. A) I have a home streaming server with 6 TB of content that I wish to protect B) I have teenagers who I need to protect my home network from.



  • No real difference in protection between the two packages.  It is just a personal preference thing.  Until you have well over 1 gigabit/sec of sustained network traffic, there is no discernible difference in Snort single-thread and Suricata multi-thread operation.

    Do you have automatic log management turned on?  You should never have to free up space and reboot if the automatic log management settings are configured for your system.  Go to the LOG MGMT tab and make sure the features on that page are enabled.  For a typical home network, the default settings should be sufficient unless you have a very disk-space limited firewall.  Just make sure the checkboxes at the top of that tab are checked (enabled), then save the change.  That will enable a cron task to run and periodically clean up logs.

    Bill



  • Mr. Bill, thank you for breaking this out for me. I understand what you are saying and I my concern about multi thread is more related to the number and types of traffic running through my box at any given point. I guess my final question on the subject is which one of the 2 is more trouble free? Since the 2.3 update, I've been seeing a lot of service stops with Snort but I am able to get it started easily. I did check my auto-management option and it for some reason it was not check; which I thought I had it checked. Anyhow, I'll keep an eye on that for sure.

    Which of two do you prefer?



  • @jbhowlesr:

    Mr. Bill, thank you for breaking this out for me. I understand what you are saying and I my concern about multi thread is more related to the number and types of traffic running through my box at any given point. I guess my final question on the subject is which one of the 2 is more trouble free? Since the 2.3 update, I've been seeing a lot of service stops with Snort but I am able to get it started easily. I did check my auto-management option and it for some reason it was not check; which I thought I had it checked. Anyhow, I'll keep an eye on that for sure.

    Which of two do you prefer?

    I currently use Snort at home, but it is on a 2.2.6 box for the moment.  I use Snort mainly because that's what I started with and I have the Snort VRT subscription.  The corresponding Emerging Threats Pro subscription that I would use on Suricata is just too expensive to justify for home use.  Suricata will not currently process all of the Snort rules (it chokes on certain keywords and metadata in the Snort VRT rule set), so you really need the latest Emerging Threats (now Proofpoint) rules that are made specifically for Suricata in my view.  But I endorse use of either package.  The new inline IPS mode for Suricata is really a cool feature!

    Bill



  • Is there a good free rule set for suricata?



  • @jbhowlesr:

    Is there a good free rule set for suricata?

    The only two I know of are Snort VRT and Emerging Threats Open.  Snort VRT will suffer from the "not all rules can be loaded" problem I mentioned.  Emerging Threats Open does not have quite as much "threat coverage" as the paid version and it is updated less often.  By "threat coverage" I mean the free ET-Open rules will never get all of the rules in the ET-Pro paid versions.  I don't know the exact algorithm, but similar to how Snort VRT works with paid versus free subscriptions, paid versions get immediate updates while the free versions get most of the same updates on some time-delayed basis.  That time delay is 30 days for the Snort VRT rules.

    Bill



  • Wow. That is a huge consideration. What does the paid subscriptions cost if I may ask?



  • @jbhowlesr:

    Wow. That is a huge consideration. What does the paid subscriptions cost if I may ask?

    Snort VRT is $29.95 per year for individuals.  Emerging Threats Pro is nearly $500/year last time I checked.  $30 I can handle for a home network, $500 is a bit much… :) just for home use.

    Bill



  • @bmeeks:

    Snort VRT is $29.95 per year for individuals.  Emerging Threats Pro is nearly $500/year last time I checked.  $30 I can handle for a home network, $500 is a bit much… :) just for home use.

    Bill

    Proofpoint has jacked up their prices for new customers since they bought out Emerging Threats.  The ET Pro Ruleset subscription is now $900 per sensor.  The IQ Risk Rep List is no longer offered as a separate product.  You now need to pay them a minimum of $24 000 per year (depends on the number of users) to get access as part of their ET Intelligence product (which includes access to their Global Threat Database).  If you had an old subscription they have grandfathered the pricing but I don't know how long this will last.  So they are now completely out of reach for home use and for most businesses for the IQ Risk Rep List.



  • @gsiemon:

    @bmeeks:

    Snort VRT is $29.95 per year for individuals.  Emerging Threats Pro is nearly $500/year last time I checked.  $30 I can handle for a home network, $500 is a bit much… :) just for home use.

    Bill

    Proofpoint has jacked up their prices for new customers since they bought out Emerging Threats.  The ET Pro Ruleset subscription is now $900 per sensor.  The IQ Risk Rep List is no longer offered as a separate product.  You now need to pay them a minimum of $24 000 per year (depends on the number of users) to get access as part of their ET Intelligence product (which includes access to their Global Threat Database).  If you had an old subscription they have grandfathered the pricing but I don't know how long this will last.  So they are now completely out of reach for home use and for most businesses for the IQ Risk Rep List.

    Jesus Christ..$500….damn. I agree with you that is too much. Not a little too much, a lot too much.

    Well, you are making my decision a little easier here.

    Both snort and suricata have free rules but suricata is obviously less effective with infrequently updated rules. Snort is in the same boat but the free rules for it are more complete and updated a little more frequently than ET rules. Outside of this, both do similar web traffic inspection with little difference in terms of effectiveness and speed; although suricata has some newer inspections techniques than snort.

    Did I sum that up correctly?


  • Moderator

    I have a grandfathered ET Pro Ruleset which is about $425/yr… For a business its well worth it, as it has all of the latest rules, and not all of the new rules end up in the ET Open ruleset.

    For ET IQRisk, they should offer a smaller subset of the categories for Home-Use at a more economical cost... I have a developers access to IQRisk, and the listed IPs that are usually not listed in other Free IP Lists...



  • Yeah, I agree the Proofpoint stuff has gotten out of reach for home use unless you are the spoiled kid of a billionaire …  :).  The Snort rules at $29.95/year are well within a home use budget.

    Bill



  • I would happily pay $29.95 for something like this.


  • Banned

    Ok, I know this is an older post but wanted to update that ET Pro is now $750/year. Total sticker shock on that one and out of reach for home and most small business users. So if you combine that with Snort VRT for a small business, you are over $1000/year. Can't sell that to any of my clients.