Opinions on 'snort' and 'suricata' requested...

I do intrusion detection/prevention using fail2ban(1) (for detection and mitigation) and ipset(8) blacklists (for prevention). I'm growing concerned about the (ever-increasing) amount of memory that it requires to hold the blacklists…and about the ever-increasing amount of effort it's taking to maintain all this.

The blacklists update every 4 hours with data collected from a number of different on-line sources. The blacklists come in IPv4 and IPv6 flavors.

Lately, I've been thinking about replacing the blacklists with snort or suricata to shoulder most of the burden of intrusion detection and prevention (while keeping fail2ban(1) as an adjunct).

I'd love to hear comments -- both positive and negative -- about such an effort. How easy are snort/suricata to set up? Are there particular pros/cons of one over the other? Can you write custom rules? How easy are they to write? I imagine that my need for some measure of blacklisting won't go away so do each support blacklists? Do each support both IPv4 and IPv6 (this is extremely important)?

Be brutal. Thanks in advance for your kind assistance.

-- sw

1 Reply

There are some solid distinctions between the two, and the best option for you will depend on what features you use most. Snort has much more community support and is most widely deployed, which leads to a variety of documentation and open-source rulesets. Suricata is newer and has features that Snort doesn’t support. You can write custom rules for each, but Snort seems to be easier to interact with. For IPv6 implementation, there is an in-depth comparison here that is worth a read.

Ruleset

Snort has significant community support, and therefore has a wide ruleset that gets updated frequently. It supports custom rules and, while both options are open-source, there is less of a “paywall feel” to Snort. Suricata can use the same rules that Snort does. It also releases rulesets, but on a subscription basis prior to 30 days old. Suricata has additional features that allow for a more configurable ruleset.

Detection

Suricata directly supports application-layer detection, while Snort requires an additional layer - OpenAppID - to detect applications.

File Extraction

Suricata supports file extraction, while Snort does not. This is especially useful if you need to set aside files in a folder for later analysis.

These links go into the differences on a deeper level and are definitely worth reviewing prior to making a decision:

https://resources.infosecinstitute.com/open-source-ids-snort-suricata/
https://tacticalflex.zendesk.com/hc/en-us/articles/360010678893-Snort-vs-Suricata

Other users here might also have more input regarding which they've found to work better in specific use cases.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct