Analysis and Comparative Performance of Open-Source Intrusion Detection Systems

Intrusion Detection Systems (IDSs) are some of the most adopted security defense tools for computer networks and systems. Some of the IDSs are accessible open-source, and the most commonly used open-source IDSs are Snort, Suricata, and Zeeka (previously Bro) [1]. Study shows that while Suricata and Snort are signature-based and rely significantly on rules to detect malicious activities, Bro applies customized scripts to identify violations/anomalies of policies within the traffic. An open-source host-based IDS can serve as anomaly and signature-based [2]. However, this paper focuses on rule-based IDSs, namely Suricata and Snort, because they are the most commonly used IDSs for computer networks and follow the same architecture, making the diversity analysis and comparison more appropriate. The rules detect malicious activities based on protocols, content, and ports, alongside the traffic/activity’s origin. For instance, based on traffic’s origin, the rule-based IDS detects and blocks suspicious IP addresses, and traffic emanates from the IPs alerted. Based on the IDS’s configuration, the traffic can either be alerted and dropped or alerted and allowed. The former occurs when IDS operates in Intrusion Prevention System (IPS) model [1]. A significant paradigm when designing network security is the defense-in-depth. Layering defense can help to reduce the attack probability. Today, guidance documents for security systems advocate for defense-in-depth as an obvious need [3].

While from the software engineering viewpoint, many differences exist between Suricata and Snort that can potentially impact their alerting behavior. However, the Blacklisted IP Addresses (BIPAs) and signature rule differences between Suricata and Snort are cited as the cause for the significant reason for the diversity in their network malware detection capabilities [1]. While other performance metrics such as drop-rates or packet-processing speed can be used to compare Snort and Suricata, their impact on the diversity between the two IDSs is relatively lower than the contribution from BIPAs and signature rules. BIPAs and signature rules are added, deleted, or modified regularly [4]. Concerning signature rules, Suricata IDS applies the Emerging Threats (ET) rules. Suricata has rules intended for the BIPAS fixed in the rule file. On the one hand, Snort has rules directed to the directory containing files and BIPAS. The BIPAS and rules can be updated automatically through tools such as Pulledpork. The sensor-generated alerts directed to storage or analyzers [5]. The system analyzers also access the storage to further analyze the alerts, ensuring that action is taken consequently. Both Suricata and Snort provide different methods to customize logs, which can be sent to different logs-plugins or saved. The outputs/logs information can from the malicious alerts or TCP package, contingent of the IDS mode [6]. The logs contain a series of fields with information concerning IP address, protocols, ports, time stamps, session details, payload signature, and rules information among others [2].

The performance assessment of Suricata and Snort has been studied in detail in the work of by many researchers using different benchmarks such as drop rates, speech, and malware detection accuracy. Concerning speed and memory, and accuracy, [7] established that Suricata can manage a large volume of traffic with the same accuracy. In [4] the authors demonstrated that the packet-loss and speed performance of Suricata surpassed that of Snort, but with reduced accuracy. In [8], the author applied detection accuracy as the metric for comparing the performance Suricata and Snort in a cloud-based network, and proposed the adoption of fuzzy logic alongside the two IDS to improve their performance. The author further compared Suricata and Snort performance using different performance metrics including drop out packets, CPU usage, and memory utilization. In that line of comparison, Suricata outperformed Snort based on drop out packets and CPU usage [8]. While comparing Suricata and Snort using real-world traffic, [9] noted that Suricata is more memory and CPU intensive, but perform optimally based on packet drop rate. However, Snort is more effective based on the volumes of alert generation. The study further noted that that Suricata is more accurate in malicious traffic detection with high-computing resources and more effective ruleset. Experiment in [12] also showed that Suricata, alerted on each exploit based on all the experiment configuration, but numerous alert types got lost, leading to a decrease of detection breadth. The volumes of alert produced when malicious attack were performed against each IDS were, therefore, more accurate and effective in Snort than Suricata.

In [11], the authors analyzed and compared the performance of Suricata and Snort on Linu and Windows platforms using experimentation method. The result of the study indicated that both Snort and Suricata use more resources whether on Linux or Windows operating systems. The researchers established that CPU utilization is impacted by the operation system where the IDS is used for both solutions. Study in [4] also reached similar conclusion. The researchers argued that Linux-based performance for both Suricata and Snort consumed more OS resources than widow-based.