POSTED IN NETWORK SECURITY ON JANUARY 18, 2018
SNORTSuricata. What are the main differences and what can we expect in the future from SNORT?
Rules
Talos’ SO / VRT rulesCrowdStrikes Threat Intelligence Services.
Emerging Threatsadditional featuresfile extraction.
Application Detection
Since the early days of Snorts existence, it has been called out that Snort is not “application aware.” It simply looks at traffic matching its rules and takes an action (alert, drop, etc) when there is a match. Pre-processors assist by shaping the traffic into a usable format for the rules to apply to, for instance performing decompression and decoding, but there was no need for Snort to understand which application generated the data.
Suricata works slightly different in this space. It supports Application-Layer detection rules and can, for instance, identify HTTP or SSH traffic on non-standard ports based on protocols. It will also then apply protocol specific log settings to these detections.
There is not really a better or worse product in this space, it really depends on what the business is looking for, and witch system best fills the gaps in detection. Because both are the fully open source, setting up a test environment is relatively quick and inexpensive.
Multithreading
processing demandsSNORT3Snort++.
File Extraction
file extractionVirusTotallookups or even automated sandboxing.
Alternatives
2014, and a release date for a production version has not been set yet.
Bro Network Security Monitor, for instance, is more of an anomaly detection system. Where Snort and Suricata work with traditional IDS signatures, Bro utilizes scripts to analyze traffic. A significant advantage of Bro is that these scripts also allow for highly automated workflows between different systems, an approach that allows for decisions much more granular than the old pass or drop actions. Its configuration can become quite complicated, however.
Conclusion
There are several good Open Source IDS options out there. Because their difference, however, not all solutions will work for every environment. The selection of the best product should be based on what other, potentially overlapping, security products are already in place, what type of traffic traverses the network, the amount of traffic and the skillset of the available IT staff.