Open source IDS: Snort or Suricata? [updated 2021]
Although early types of Network Intrusion Detection Systems go back all the way to the early 1980s, the concept of IDS took off when Martin Roesch created his free and open source IDS system SNORT. Because of its lightweight design and its flexible deployment options, Snort’s user base rapidly grew in the following years (up to 400,000 currently).
In 2001, Martin Roesch founded the company Sourcefire (acquired by Cisco in 2013) for a commercial IDS product based on SNORT. The original free and open-source version of SNORT remained available, however, and is still widely used in networks across the globe. In the meantime, some competitors have gained ground in the realm of open source IDS, most notably Suricata IDS.
What are the main differences between them, and what can we expect in the future from SNORT?
An IDS solution is only as good as the available rules it can apply to the monitored traffic. Snort has always had a lot of community support, and this has led to a substantial ruleset, updated on a regular basis. The syntax of the rules is quite simple, and the program structure allows for anyone to deploy customized rules into their IDS or share them with the community.
Some commercial parties develop SNORT rules as well, which can be purchased for a monthly or annual fee. Some examples are Talos’ SO/VRT rules (released for free after one month) and CrowdStrikes Threat Intelligence Services.
Suricata can use the same rules as SNORT. Many, but not all, VRT rules do still work. Suricata has its own ruleset, initially released to paying subscribers but freely available after 30 to 60 days: Emerging Threats. These Suricata rules make more use of the additional features Suricata has to offer such as port-agnostic protocol detection and automatic file detection and file extraction.
Since the early days of Snort’s existence, it has been said that Snort is not “application-aware.” It simply looks at traffic matching its rules and takes an action (alert, drop and so on) when there is a match. Pre-processors assist by shaping the traffic into a usable format for the rules to apply to: for instance, performing decompression and decoding, but there was no need for Snort to understand what application generated the data.
Business requirements have changed over time however and to adapt to the market, Snort launched OpenAppID in its 2.9.7 version in 2014. OpenAppID enables the detection of applications via so-called Layer 7 Detectors. Although the existence of a known application is not always a direct security incident (the usage of Dropbox for instance), it does allow for a better understanding of what exists within the network. Not only can previously unknown applications be found, but their traffic can also be dropped or alerted to by linking an AppID to a traditional SNORT IDS/IPS rule.
Suricata works slightly differently in this space. It supports Application-Layer detection rules and can, for instance, identify HTTP or SSH traffic on non-standard ports based on protocols. It will also then apply protocol specific log settings to these detections.
There is not really a better or worse product in this space, it really depends on what the business is looking for, and which system best fills the gaps in detection. Because both are fully open-source, setting up a test environment is relatively quick and inexpensive.
One of the main benefits of Suricata is that it was developed much more recently than Snort. This means it has many more features on board that are virtually unmissable these days. One of those features is support for multithreading.
The increase in network traffic over the years has been closely followed by the processing demands on IDS devices (measured in packets per second). Fortunately, Suricata supports multithreading out of the box. Snort, however, does not support multithreading. No matter how many cores a CPU contains, only a single core or thread will be used by Snort.
There is a rather complicated workaround: running multiple SNORT single thread instances, all feeding into the same log. The added overheads to manage this process (AutoFP) and the high cost of hardware, however, mean this setup is rarely found in production environments. SNORT3 will support multithreading, but it is still in Alpha stage, running as Snort++. Of course, it is not advised to use an Alpha-stage product in a production environment. Multithreading is undoubtedly a strong argument to consider Suricata over Snort.
Suricata supports file extraction. This is an incredibly useful feature that allows the automatic extraction of selected files once a rule containing the option “filestore” is triggered. It is, for instance, possible to extract all .pdf files or all single-pixel .png files and store them in a preconfigured folder for further manual analysis, VirusTotal lookups or even automated sandboxing.
While Snort and Suricata are certainly the most popular open-source intrusion detection systems, there are some alternatives. The earlier mentioned updated SNORT3 release looks very promising, with its support for multithreading, service identification and a more straightforward rule language. This has been in development for many years. However, the Alpha stage goes back to 2014, and a release date for a production version has not been set yet.
There are alternatives to the traditional IDS/IPS solutions as well, but these can sometimes work slightly differently. The Bro Network Security Monitor (now known as Zeek), for instance, is more of an anomaly detection system. Where Snort and Suricata work with traditional IDS signatures, Bro/Zeek utilizes scripts to analyze traffic.
A significant advantage of Bro/Zeek is that these scripts also allow for highly automated workflows between different systems, an approach that allows for decisions much more granular than the old pass or drop actions. Its configuration can become quite complicated, however.
There are several good open-source IDS options out there. Because of their differences, however, not all solutions will work for every environment. The selection of the best products should be based on what other, potentially overlapping, security products are already in place, what type of traffic traverses the network, the amount of traffic and the skill set of the available IT staff.