Snort vs Suricata vs Sagan

Champ Clark edited this page May 22, 2014 · 8 revisions

Snort

Homepage: http://www.snort.org/

Snort is the oldest, most proven open source Network Intrusion Detection System (NIDS). It has a user base of nearly 400,000 people and is well documented for Windows, many Linux variants, and the BSDs. It's current limitation is that it is single-threaded, so it does not take advantage of multi-core machines without special configurations.

Suricata

Homepage: http://www.openinfosecfoundation.org/index.php/download-suricata

Suricata is a younger NIDS, though fast in development. It is partly funded by the Department of Homeland Security's Directorate for Science and Technology and is designed to work with the Snort rulesets. It is best known for it's efficiency, though it can be a double-edged sword. It is best to use the Emerging Threats or Emerging Threats Pro rulesets with Suricata, as they design their rules for full optimizing with Suricata. If you're using a single core box, it is best to use Snort. However, Suricata does show it's speed with multi-core boxes running a ruleset optimized for Suricata. (reference: http://www.inliniac.net/blog/2010/07/22/on-suricata-performance.html)

Sagan

Homepage: http://sagan.quadrantsec.com/

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles". This compatibility makes it possible to use Sagan with Snorby.

Sagan supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, time sensitive alerting and much more.

Back to Snorby E-Book

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.