Benchmarking suricat/snort


#1

Hello,
I am wondering what make you choose suricata comparing to other open source projects like snort ? is there any advantages !

Thanks.


#2

Hi John,

Thanks for asking about Suricata vs Snort. Initially, I’d say it was for ease of use. Suricata packages remain pretty up to date in the EPEL repository, so we don’t have to maintain pulling in one-off packages. Later we found the native JSON output to really be ideal for the RockNSM needs for data pipeline. After using it for a bit, I found Suricata to be significantly more performant than Snort as well, and that’s with improvements in capabilities of the signature language and other protocol analyzers. I don’t have hard data and graphs to back that up, but managing a fleet of sensors, some of which were seeing close to 10 Gbps, Suricata was the hands down winner for that scale.

All that said, Snort 3.0 has been in development for a long time with a long list of new features. If it ever becomes the stable candidate and the community gets fired up about it like they are around Suricata, we’ll reconsider adding it back in, possibly as the default. We just can’t justify that today.

Thanks again for asking!

-dcode