A. Capstone Project Title: Analysis and Comparative Performance of Open-Source Intrusion Detection systems.

B. Research Problem: As the world is increasingly becoming more connected to cyberspace, hackers and attackers are becoming increasingly sophisticated to penetrate computer networks and systems. Hence, the internet space is increasingly more hostile to computer systems and networks. Several open-source intrusion detection systems (IDSs) such as Snort, Suricata, and Bro are available, which can be applied to detect threats in computer information and network systems as shown by Vinayakumar et al. [5]. However, the problem faced by the user of open-source IDSs is the existence of an independent view concerning how the IDSs perform and determining the ones that are not effective in detecting intrusion.


C. Assumptions: The primary assumption is that with open-source IDS, the IT team can promptly be notified when there is network intrusion or an attack might be occurring. However, the open-source IDS vary in their effectiveness to detect an intrusion.

D. Literature Review: A study by Vinayakumar et al. [5] on intelligent IDS has proven that an intrusion detection system (IDS) can monitor both inbound and outbound traffic on a network and other data navigating between plans of the network. This makes it easier to detect sophisticated malware than when a firewall is used. Firewalls prevent intrusion by limiting access between networks but may not signal an attack from within the network [1] argued that an IDS can evaluate suspected instruction upon occurring and signal the alarm. It also monitors attacks originating from inside the systems. Firewalls make filtering decisions only based on network packet header data, but the content data remains uninspected. The packet payload analysis is often vital for detecting packets containing malicious contents. This is where intrusion detection systems (IDS) are helpful to protect internet users against cyber threats. IDS monitors and logs any sign of malicious activity or network traffic and makes an alert after noticing a suspicious event. 

Sulaiman, Seta, & Falih [4] observe that different open-source IDSs, including Snort, Suricata, and Bro, vary in design and effectiveness in responding to intrusion. The authors point out that the Snort engine is designed to allow for a single rule to adopt diverse network protocols. It analyzes the protocols and content matching. The Snort software is also applied to detect or block a diverse range of attacks, effectively conducting examinations such as stealth port scanning, buffer overflows, OS fingerprinting attempts, attacks on web applications, and many other features. The Snort engine is primarily designed for intrusion prevention; hence handles cyber-attacks as they happen.

Garg and Maheshwari [2] argued that Suricata adopted as signature-based open-source IDS allows real-time network security monitoring, intrusion detection, and offline packet capture processing. Suricata inspects the network traffic through extensive and powerful rules and signature language capable of detecting complex threats. Suricata is multi-threaded and can run multiple threads. This feature takes advantage of every CPU core on the computer. It does not log packets but can also log and capture DNS requests, HTTP requests, and Transport Layer Security/Secure Sockets Layer (TLS/SSL). The multi-thread characteristic of the Suricata detection software is critical as network bandwidth grows.

free essay typer



Sharma and Sharma [3] note that Bro adopted as a Hybrid IDS contains an analysis engine that can convert traffic captured into a chain of events such as connection to a website, user login to FTP, and other users’ online activities. Bro IDS can target high-speech, high-volume traffic, and Gigabits per second (Gbps)  for intrusion detection. The Bro IDS applies the concept of packet-filtering. Therefore, it can attain efficiency while operating on commercially accessible PC hardware. As such, it serves as a cost-effective method to monitor the internet connection of the sites.

E. Research Questions:

  • Why is IDS an important intrusion detection strategy today?
  • How do open-source IDSs, including Suricata, Bro, and Suricata, respond to exact network attacks?
  • How can users identify open-source IDSs effective for intrusion detection of their sites?

Answering these questions will help the user appreciate the significance of IDS for their sites, the application, and the effectiveness of different open-source IDS types of open-sources IDSs.

F. Expected Outcome: The researcher expects that several factors, including software, will impact the effectiveness of open-source IDS. The software aspects will include detection algorithm optimization, the number of processors loaded, and available software configuration options. The hardware performance, including the CPU, RAM, HDD speed, and NIC speed, will also impact IDS efficiency.

G. Project Plan: The researcher will perform experimentation testing on all the IDS solutions. The following experiments will be conducted:

  • Default OS and IDS configuration
  • Optimizing every IDS configuration by consulting online discussions and manuals.
  • Modifying and replacing network socket packet capture modules to enhance capturing performance, including increasing libpcap buffer sizes and using AF_PACKET and PF_RING network sockets.

H. Anticipated Difficulties and Pitfalls: The researcher is likely to get many warning messages that the pre-processor memory cap is reached, meaning that some sessions can be pruned and not be thoroughly analyzed. This can produce misleading results if not corrected. Overcoming such anomalies, the researcher should raise the pre-processor memory limit to 512MiB from the default 8MiB and repeat each experiment at least two or three times to verify the outcomes.


[1]O. Bouziani, H. Benaboud, A. Chamkar and S. Lazaar, “A Comparative study of Open Source IDSs according to their Ability to Detect Attacks”, Proceedings of the 2nd International Conference on Networking, Information Systems & Security – NISS19, vol. 1, no. 51, 2019. Available: 10.1145/3320326.3320383 [Accessed 17 March 2022].

[2]A. Garg and P. Maheshwari, “Performance analysis of Snort-based Intrusion Detection System”, 2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS), vol. 1, no. 1, 2016. Available: 10.1109/icaccs.2016.7586351 [Accessed 17 March 2022].

[3]A. Sharma and M. Sharma, “Analysis and implementation of BRO IDS using signature script”, 2015 International Conference on Soft Computing Techniques and Implementations (ICSCTI), vol. 1, no. 1, 2015. Available: 10.1109/icscti.2015.7489563 [Accessed 17 March 2022].

[4]F. Sulaiman, H. Seta and N. Falih, “Exploitation Prevention on Network Printer with Signature-Based Suricata on PfSense”, 2021 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS, vol. 1, no. 1, pp. 35-39, 2021. Available: 10.1109/icimcis53775.2021.9699133 [Accessed 17 March 2022].

[5]R. Vinayakumar, M. Alazab, K. Soman, P. Poornachandran, A. Al-Nemrat and S. Venkatraman, “Deep Learning Approach for Intelligent Intrusion Detection System”, IEEE Access, vol. 7, pp. 41525-41550, 2019. Available: 10.1109/access.2019.2895334 [Accessed 17 March 2022].