Snort vs Suricata. Pros and Cons ?



  • Currently running Snort.

    Worth switching over to Suricata ?

    What are the pros and cons of each ?



  • This has been asked multiple times before on this forum. Example:
    https://forum.pfsense.org/index.php?topic=83548.0

    The main difference is if you plan on using the VRT rules, there is a chance some of the rules won't work with suricata. But beyond that, you would need to invest some serious time learning and tweaking them to have their differences matter to you.



  • _Re: Snort vs Suricata. Pros and Cons ?
    « Reply #1 on: May 09, 2016, 11:49:53 pm »
    QuoteThank You
    This has been asked multiple times before on this forum. Example:
    https://forum.pfsense.org/index.php?topic=83548.0

    The main difference is if you plan on using the VRT rules, there is a chance some of the rules won't work with suricata. But beyond that, you would need to invest some serious time learning and tweaking them to have their differences matter to you._

    Yes but the last post in that thread is almost 2 years old. I think the OP was asking what the current benefits to using snort or suricata are. And I would like to know as well.



  • Still no change from the recommendation in the old thread.  Unless you have well over 1 Gigabit/sec of sustained throughput (not little bursts), then either IDS can keep up.  The differences are mainly cosmetic in my view.

    Suricata can log more kinds of extra details (not that it detects more alerts, just logs more details about specific traffic).

    Snort has the new OpenAppID preprocessor that Cisco/Sourcefire recently made open source.

    Suricata is multi-threaded and at the moment Snort is not, but refer to my first point about throughput.  Unless you are essentially some huge enterprise with very high sustained throughput on an interface, Snort is fine even if it is currently single-threaded.

    Suricata on pfSense can now use the new Netmap API and driver to be a true IPS (Intrusion Prevention System) with inline blocking.  Note this only works with certain NIC drivers, though.  Snort still uses libpcap to analyze copies of packets, and then inserts offending IP addresses into the pf firewall (in a table called snort2c).  So if inline IPS is important to you and you have a supported NIC, Suricata is a better fit.

    The comments in the older threads about rules support (rule options and keywords, mainly) are still true.  Suricata will choke on about 700-800 of the Snort VRT rules and skip loading them.

    Bill


Log in to reply