Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5925
  • Last Modified:

Suricata Vs Snort

Does anyone has experience with Suricata?  Is it mature and ease of use? I know SNORT has been a long while, but I like suricata of being multi-threading and hence scalable.  However, I am not sure if Suricata is as capable as SNOT for intrusion detection and able to analyse network traffic.  And whether there is a good support and health community.
0
tommym121
Asked:
tommym121
  • 5
  • 5
  • 2
7 Solutions
 
btanExec ConsultantCommented:
Yes surricata is of equal par.n      Suricata is another SNORT-like IDS coded in C. There is active community and funding support. See below

http://www.openinfosecfoundation.org

Also see the below has some intereting comparison that can help you to differentiate but note that there would  changes since then...

http://www.aldeid.com/wiki/Suricata-vs-snort

Both Snort and Suricata are based on sets of rules. Most of the tests have shown that VRT::Snort and EmergingThreats rules are complementary and are both needed to optimize the detection of all attack types. In addition, both Snort and Suricata have demonstrated their ability to detect attacks based on signatures from rules.

Suricata offers new features that Snort could implement in the future: multi-threading support, capture accelerators but suffers from a lack of documentation (few documentation on the Internet and outdated one on the official website). In addition, Suricata doesn't accept some rules from VRT::Snort and Emerging Threats due to incompatibilities (no support of certain keywords). The support of these missing keywords should be implemented in future versions of Suricata
0
 
Rich RumbleSecurity SamuraiCommented:
The binary Snort VRT rules are not free, and not open-source so Suri can't accept them even if it wanted to. Suri has it's own paid-rule subscription too but the difference is the community does get those rules eventually and they are shared in that sense. That is only the Binary VRT (.SO)rules that Suri can't use.
Suri also supports some new methods that aren't on Snort's road map, specifically File carving from Http/Ftp (and soon SMB/CIFS and others) streams, and file hashing. Suri can be used to hash files in Http streams, and a script can be used to check those hashes against VirusTotal for example to see if there are malicious files in you're network.
http://www.openinfosecfoundation.org/index.php/gsoc/157-suricata-13-available (list of changes)
Suricata is innovating faster Snort, and since Snort was just acquired by Cisco, I don't think their focus is on the community anymore. Many Open Source projects just stagnate once Cisco get involved with them or acquires them, I know Jabber has.
-rich
0
 
tommym121Author Commented:
What are those VRT rules for? How much does it cost?  Do I need them if I using SNORT/Suricata for passive network monitoring system (PNMS).  My network is protected by firewalls.  It is supposed to be very restrictive (not all protocols or port allowed).  The purpose of the system is to act as a warning system for anyone break in and scanning computers in the network.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Rich RumbleSecurity SamuraiCommented:
http://www.snort.org/vrt/buy-a-subscription
The VRT rules (the SO rules) are done by the research dept of Snort, just like the paid rules for Suri are. Only snort doesn't make those rules available later, Suri does make the rules available http://www.emergingthreats.net/ There is no set time the become available, but it's been between 30-60 days. They do however create community rules for important outbreaks which is nice of them.

The VRT rules can be for anything, I don't subscribe so I'm not sure anymore. There are plenty of scanning rules out there for both however.
Remember there is more to look for in a network than 3rd party tools, the ones that are native are just as dangerous :)
http://www.experts-exchange.com/Security/Misc/A_12575-The-Duality-of-Security-Tools-and-Information.html
-rich
0
 
tommym121Author Commented:
richrumble,

I read your 'duality' article. Very nicely written.   I am not sure it is still true that Suri is still lack of current document for installation or use and no auto installation - all manual.
Is that right?  A beginner is better with SNORT than Suricate?
0
 
Rich RumbleSecurity SamuraiCommented:
Both are the same if you ask me. Suri is much more chatty on the console, and that looks confusing. But to get running, they are about equal now. Both require you to parse a unified2 file format, typically done with Barnyard2, and that is what I think is the most difficult part of each. I would give the edge to Snort for a beginner, but they dropped the direct DB connections they used give, and forced you to use U2/By2 to get that data into a DB. There are documents for Suri, I've contributed and tested the one for the windows side as far as installation and compilation of by2: https://redmine.openinfosecfoundation.org/attachments/download/757/SuricataWinInstallationGuide_v1.3.pdf

The one caveat for Suri being harder is that you have to use YAML for the config file, and that file is based on spacing more than anything, so if the spacing isn't just so, you can get an error, it's an informative error though so you know how to fix it :) I won't go back to snort, I think it paved the way, and Suri is going fwd.
-rich
0
 
tommym121Author Commented:
richrumble,

Thanks for the info. Sound like you are all for Suri.  Does Suri comes with other Gui? Or you have to write your own app to display any intrusion detection warning? Or is there any third party application?

For the configuration, can you simply buy the Suri rules for the start so I can have it up in no time in a lab and then incrementally learn and twit to my need.
0
 
Rich RumbleSecurity SamuraiCommented:
Windows or Linux? Snort nor Suri (nor Bro-IDS) have native gui's. You have a console to get them running, and then you have a Database to get the alerts from. There are a few front-ends for that. Snorby is probably the prettiest, and it's not bad to get setup, but is much easier on linux.
I'd advise you to look at the Security Onion live-cd. It's a bootable cd/dvd/usb (take your pick) that has lots of security tools packaged and ready for you to work with, it is linux only however. But it gives you the best idea/feel for each tool and each frontend.
http://code.google.com/p/security-onion/

If your not going that route, then you have a few choices for either:
http://blog.snort.org/2011/01/guis-for-snort.html (they work on snort/suri)
-rich
0
 
btanExec ConsultantCommented:
Any of the available on-line guides for snort should work for us. Instead of pointing barnyard/barnyard2 at a snort output directory containing unified and unified2 files you can point it at a suricata output directory containing unified/unified2 output.

Also you would like to note also these  that tends to be the most popular ones I think, although I'm sure there are many more. http://base.secureideas.net/ 
http://snorby.org/ 
http://sguil.sourceforge.net/

Also previously there is OpenAanva originally was a very simple web front-end to monitor and browse Snort event data. It was the stand-alone free limited-version of the commercial Aanval console before it was finally integrated in 2005 and is the alternative to ACID as the front-end. Aanval was then publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry's leading web-based GUI for Snort, Suricata, and Syslog intrusion detection, prevention and correlation.

https://www.aanval.com/download
0
 
tommym121Author Commented:
richrumble,

Thanks for the info. Sound like you are all for Suri.  Does Suri comes with other Gui? Or you have to write your own app to display any intrusion detection warning? Or is there any third party application?

For the configuration, can you simply buy the Suri rules for the start so I can have it up in no time in a lab and then incrementally learn and twit to my need.
0
 
Rich RumbleSecurity SamuraiCommented:
And you don't have to pay for rules, they are mostly free, the rules you pay for are better tested and probably newer than the community rules. Those paid for suricata and snort rules come from leads and customers reporting suspicious traffic etc. Emerging threats has about all the rules you'd need.
http://www.emergingthreats.net/open-source/etopen-ruleset/
There are "pro" rules too, but they are typically released into the free set in 30-60 days time if not sooner.
-rich
0
 
tommym121Author Commented:
Thanks for all the information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now