Open Source IDS: Snort or Suricata?

匿名 (未验证) 提交于 2019-12-03 00:22:01

COPY From:

POSTED IN NETWORK SECURITY ON JANUARY 18, 2018

SNORTSuricata. What are the main differences and what can we expect in the future from SNORT?

Rules

Talos’ SO / VRT rulesCrowdStrikes Threat Intelligence Services.

Emerging Threatsadditional featuresfile extraction.

Application Detection

Since the early days of Snorts existence, it has been called out that Snort is not “application aware.” It simply looks at traffic matching its rules and takes an action (alert, drop, etc) when there is a match. Pre-processors assist by shaping the traffic into a usable format for the rules to apply to, for instance performing decompression and decoding, but there was no need for Snort to understand which application generated the data.

OpenAppID

Suricata works slightly different in this space. It supports Application-Layer detection rules and can, for instance, identify HTTP or SSH traffic on non-standard ports based on protocols. It will also then apply protocol specific log settings to these detections.

There is not really a better or worse product in this space, it really depends on what the business is looking for, and witch system best fills the gaps in detection. Because both are the fully open source, setting up a test environment is relatively quick and inexpensive.

Multithreading

processing demandsSNORT3Snort++.

File Extraction

file extractionVirusTotallookups or even automated sandboxing.

Alternatives

2014, and a release date for a production version has not been set yet.

Bro Network Security Monitor, for instance, is more of an anomaly detection system. Where Snort and Suricata work with traditional IDS signatures, Bro utilizes scripts to analyze traffic. A significant advantage of Bro is that these scripts also allow for highly automated workflows between different systems, an approach that allows for decisions much more granular than the old pass or drop actions. Its configuration can become quite complicated, however.

Conclusion

There are several good Open Source IDS options out there. Because their difference, however, not all solutions will work for every environment. The selection of the best product should be based on what other, potentially overlapping, security products are already in place, what type of traffic traverses the network, the amount of traffic and the skillset of the available IT staff.


标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!