Solved

Suricata Vs Snort

Posted on 2013-12-10
12
4,306 Views
Last Modified: 2013-12-11
Does anyone has experience with Suricata?  Is it mature and ease of use? I know SNORT has been a long while, but I like suricata of being multi-threading and hence scalable.  However, I am not sure if Suricata is as capable as SNOT for intrusion detection and able to analyse network traffic.  And whether there is a good support and health community.
0
Comment
Question by:tommym121
  • 5
  • 5
  • 2
12 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 143 total points
Comment Utility
Yes surricata is of equal par.n      Suricata is another SNORT-like IDS coded in C. There is active community and funding support. See below

http://www.openinfosecfoundation.org

Also see the below has some intereting comparison that can help you to differentiate but note that there would  changes since then...

http://www.aldeid.com/wiki/Suricata-vs-snort

Both Snort and Suricata are based on sets of rules. Most of the tests have shown that VRT::Snort and EmergingThreats rules are complementary and are both needed to optimize the detection of all attack types. In addition, both Snort and Suricata have demonstrated their ability to detect attacks based on signatures from rules.

Suricata offers new features that Snort could implement in the future: multi-threading support, capture accelerators but suffers from a lack of documentation (few documentation on the Internet and outdated one on the official website). In addition, Suricata doesn't accept some rules from VRT::Snort and Emerging Threats due to incompatibilities (no support of certain keywords). The support of these missing keywords should be implemented in future versions of Suricata
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 357 total points
Comment Utility
The binary Snort VRT rules are not free, and not open-source so Suri can't accept them even if it wanted to. Suri has it's own paid-rule subscription too but the difference is the community does get those rules eventually and they are shared in that sense. That is only the Binary VRT (.SO)rules that Suri can't use.
Suri also supports some new methods that aren't on Snort's road map, specifically File carving from Http/Ftp (and soon SMB/CIFS and others) streams, and file hashing. Suri can be used to hash files in Http streams, and a script can be used to check those hashes against VirusTotal for example to see if there are malicious files in you're network.
http://www.openinfosecfoundation.org/index.php/gsoc/157-suricata-13-available (list of changes)
Suricata is innovating faster Snort, and since Snort was just acquired by Cisco, I don't think their focus is on the community anymore. Many Open Source projects just stagnate once Cisco get involved with them or acquires them, I know Jabber has.
-rich
0
 

Author Comment

by:tommym121
Comment Utility
What are those VRT rules for? How much does it cost?  Do I need them if I using SNORT/Suricata for passive network monitoring system (PNMS).  My network is protected by firewalls.  It is supposed to be very restrictive (not all protocols or port allowed).  The purpose of the system is to act as a warning system for anyone break in and scanning computers in the network.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 357 total points
Comment Utility
http://www.snort.org/vrt/buy-a-subscription
The VRT rules (the SO rules) are done by the research dept of Snort, just like the paid rules for Suri are. Only snort doesn't make those rules available later, Suri does make the rules available http://www.emergingthreats.net/ There is no set time the become available, but it's been between 30-60 days. They do however create community rules for important outbreaks which is nice of them.

The VRT rules can be for anything, I don't subscribe so I'm not sure anymore. There are plenty of scanning rules out there for both however.
Remember there is more to look for in a network than 3rd party tools, the ones that are native are just as dangerous :)
http://www.experts-exchange.com/Security/Misc/A_12575-The-Duality-of-Security-Tools-and-Information.html
-rich
0
 

Author Comment

by:tommym121
Comment Utility
richrumble,

I read your 'duality' article. Very nicely written.   I am not sure it is still true that Suri is still lack of current document for installation or use and no auto installation - all manual.
Is that right?  A beginner is better with SNORT than Suricate?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 357 total points
Comment Utility
Both are the same if you ask me. Suri is much more chatty on the console, and that looks confusing. But to get running, they are about equal now. Both require you to parse a unified2 file format, typically done with Barnyard2, and that is what I think is the most difficult part of each. I would give the edge to Snort for a beginner, but they dropped the direct DB connections they used give, and forced you to use U2/By2 to get that data into a DB. There are documents for Suri, I've contributed and tested the one for the windows side as far as installation and compilation of by2: https://redmine.openinfosecfoundation.org/attachments/download/757/SuricataWinInstallationGuide_v1.3.pdf

The one caveat for Suri being harder is that you have to use YAML for the config file, and that file is based on spacing more than anything, so if the spacing isn't just so, you can get an error, it's an informative error though so you know how to fix it :) I won't go back to snort, I think it paved the way, and Suri is going fwd.
-rich
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:tommym121
Comment Utility
richrumble,

Thanks for the info. Sound like you are all for Suri.  Does Suri comes with other Gui? Or you have to write your own app to display any intrusion detection warning? Or is there any third party application?

For the configuration, can you simply buy the Suri rules for the start so I can have it up in no time in a lab and then incrementally learn and twit to my need.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 357 total points
Comment Utility
Windows or Linux? Snort nor Suri (nor Bro-IDS) have native gui's. You have a console to get them running, and then you have a Database to get the alerts from. There are a few front-ends for that. Snorby is probably the prettiest, and it's not bad to get setup, but is much easier on linux.
I'd advise you to look at the Security Onion live-cd. It's a bootable cd/dvd/usb (take your pick) that has lots of security tools packaged and ready for you to work with, it is linux only however. But it gives you the best idea/feel for each tool and each frontend.
http://code.google.com/p/security-onion/

If your not going that route, then you have a few choices for either:
http://blog.snort.org/2011/01/guis-for-snort.html (they work on snort/suri)
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 143 total points
Comment Utility
Any of the available on-line guides for snort should work for us. Instead of pointing barnyard/barnyard2 at a snort output directory containing unified and unified2 files you can point it at a suricata output directory containing unified/unified2 output.

Also you would like to note also these  that tends to be the most popular ones I think, although I'm sure there are many more. http://base.secureideas.net/
http://snorby.org/
http://sguil.sourceforge.net/

Also previously there is OpenAanva originally was a very simple web front-end to monitor and browse Snort event data. It was the stand-alone free limited-version of the commercial Aanval console before it was finally integrated in 2005 and is the alternative to ACID as the front-end. Aanval was then publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry's leading web-based GUI for Snort, Suricata, and Syslog intrusion detection, prevention and correlation.

https://www.aanval.com/download
0
 

Author Comment

by:tommym121
Comment Utility
richrumble,

Thanks for the info. Sound like you are all for Suri.  Does Suri comes with other Gui? Or you have to write your own app to display any intrusion detection warning? Or is there any third party application?

For the configuration, can you simply buy the Suri rules for the start so I can have it up in no time in a lab and then incrementally learn and twit to my need.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 357 total points
Comment Utility
And you don't have to pay for rules, they are mostly free, the rules you pay for are better tested and probably newer than the community rules. Those paid for suricata and snort rules come from leads and customers reporting suspicious traffic etc. Emerging threats has about all the rules you'd need.
http://www.emergingthreats.net/open-source/etopen-ruleset/
There are "pro" rules too, but they are typically released into the free set in 30-60 days time if not sooner.
-rich
0
 

Author Closing Comment

by:tommym121
Comment Utility
Thanks for all the information.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now