Analysis and Comparative Performance of Open-Source Intrusion Detection systems

PART I – Conclusion

This study analyzed and compared the performance of Snort, Suricata and bro open-source intrusion detection systems for their accuracy in harmful/malicious traffic detection in computer systems and networks. The research help users to evaluate multi-threaded IDS (Suricata) and single-threaded IDS (Snort), compared with single-threaded (Bro), based on their features and performance in different contexts and systems to make an informed decision on the adoption of IDS for computer networks and systems protection against malicious intrusions. Open-source IDSs users face the problem of the non-existence of an independent view concerning the performance of the respective IDSs for intrusion detection, hence the need for independent analysis and comparative performance of each open-source IDS.

Suricata, Snort, and Bro exhibit many differences in the Blacklisted IP Addresses (BIPAs) and signature rule variations, significantly impacting the diversity in their alerting behavior and malware or system threat detection capability. Suricata is a multi-threaded IDS that adopts a signature-based open-source IDS, which allows for real-time intrusion detection, network security monitoring, and package capture processing, and can examine a system or network traffic using a powerful and extensive signature language and rules designed to detect complex threats. On the one hand, Snort is a single-thread IDS engine using a varied range of protocols to conduct a range of assessments, including attacks on systems or web applications, scanning on the stealth ports, fingerprinting attempts on operating systems, and buffer overflows to detect and block malicious cyber-attacks attacks in real-time. On the other hand, Bro has a single-threaded engine as Snort but has a communication protocol and a manager operating as a distinct process, meaning that Bro uses extra logical processor space compared to Snort.

The differences in signature rules and thread structure between Suricata, Snort, and Bro also signify significant performance differences in speed, memory, and accuracy, which the IDS users of the IDSs must not before selecting one for implementation. Suricata has been found to outperform Snort based on a range of metrics, including speed performance, memory usage, and accuracy because its multi-threaded structure implies that it can process larger package volumes using the same accuracy and is more accurate in threat detection with more effective ruleset and high computing resources. At the same time, Snort primarily performs best based on alert generation volumes. Like Snort, Bro has a higher rate of dropping packets attributed to its single-threaded feature, which is likely to make it dazed by traffic. However, dropping packets is lower than snort due to the presence of a manager and communication protocol operating as a separate process. Bro’s communication loop generates an additional load to take up about 4% of the CPU space even minus any traffic, using more logical processors than Snort. Snort’s CPU load does not extend beyond 12.5% and uses no more than one logical processor long ago, even if the transmission speed increases.


The present findings suggest that Suricata’s multi-threaded design gives it more advantages than Snort and Bro based on a range of metrics, including the system’s attack coverage and accuracy in threat detection, which is the core goal for IDS implementations.

However, while experimenting, this study observed that a range of factors, including software and hardware performance, impacted the accuracy of the IDSs. Hence, researchers must take note of software issues such as available software configuration options, detection algorithm optimizations, processors loaded, and hardware performance, such as HDD speed, CPU, and available RAM. Researchers will also experience several warning messages of maximum pre-processor memory cap usage, potentially pruning some sessions without a complete analysis. This can generate misleading output, hence must be corrected before starting the experiment by increasing the default 8MiB pre-processor memory limits to a maximum of 512MiB. Further, for accurate results, future researchers must also consider repeating every IDS experiment at least three times or more to verify the accuracy of outcomes.

PART II – Abstract The internet remains a very hostile environment for computer systems and networks regardless of the advancements in network security. The environment is characterized by sophisticated cyber threats that are most likely to be even more destructive in the future, leading to significant losses of information, data, and economic and social destructions. Currently, sophisticated warms, including Stuxnet, are examples of the deadliest cyber threats crafted in the modern cyber environment. A critical element of computer systems and security protection and monitoring is the integration of IDS to navigate and alert on malicious activity. A range of open-source IDSs can be deployed for cyber threat detection and reporting, but they vary in their performance, based on several metrics, including accuracy and speed of threat detection and alerting. Thus study explores Suricata and Snort as the most widely adopted IDSs and compares their performances with Bro IDS. The study’s objective was to establish how open-source IDSs, particularly Suricata, Snort, and Bro, respond to different threats of attacks and how the users can identify the most effective IDS for their systems and networks. It is believed that the Suricata multi-threaded and Snort’s and Bro’s single-threaded features also imply variations in performance in different contexts. Snort and Suricata are rule-based open-source IDSs and have almost the same functionality, including syntax. However, they have different engine systems, with Suricata being multi-threaded and Snort single-threaded engine, which also implies variation in performance levels based on different contexts. Bro adopts customized scripts to identify violations/anomalies within the system. This study adopted an experimentation approach to evaluate the applicability of Suricata and Snort and accuracy in different environments of software and hardware system capabilities and compare the results with Bro IDS. The experiments comprised testbeds, comparing broth IDS’ responses to different settings, traffic loads, packet sizes, transmission times, bandwidths, and packet volumes. Each situation is analyzed based on packet processing and the latest emerging detection rules to compare IDSs’ performances. The study revealed that Suricata has more advantages over Snort and Bro because of its multi-threaded design in most operating systems, and it utilizes all the CPU cores on the computer system with high accuracy and speed in intrusion detection. Besides, multilayer and multi-core hardware are more common nowadays than single-core CPUs, rendering Snort’s single-