Suricata and Snort are both rule-based open-source IDS with similar functionality, including using the same syntax. However, based on their engine systems, the two systems have different performance levels. Suricata is a multi-threaded IDS, while Snort operates as a single thread IDS. Therefore, this study adopts performance as the metric to assess the effectiveness of Suricata and Snort and identify determine which one is the most effective in intrusion detection and prevention based on the experimentation approach. Metrics such as drop rates, speed, and malware detection accuracy are most commonly used to assess the IDS.
The study will be guided by assumptions primarily that the open-source intrusion detection systems (IDSs) vary in their effectiveness to detect an intrusion. It is believed that the multi-threaded of Suricata and single-threaded characteristics of Snort also implies the variation in performance. Experts consider single-threaded engines outdated because multi-core hardware and multilayer CPU are most common today.
Most literature reveals that Suracata has many advantages over Snort in most operating systems. Primarily Suricata is multi-threaded and can run multiple threads. This feature takes advantage of every CPU core on the computer. As a result, Suricata inspects the network traffic through extensive and powerful rules and signature language capable of detecting complex threats. Also noted in the literature is that Suricata has a higher RAM and CPU utilization compared to Snort in most instances on all operating systems.
Based on the considerable differences between the two platforms, it is likely that Suricata and Snort differ based efficiency and speed of the system and network analysis. This will be tested in this study using the experimentation approach. Concerning originality, this work provides will provide new interpretations of existing data in the literature, analyzing and interpreting the existing works of other scholars to come up with a piece of new knowledge on the topic.