Suricata, Snort, Bro

Are you looking for a tool to use as an intrusion detection system for your network? Did you come accross the tools Suricata, Snort and Bro ? Are you wondering which tool you might want to use?

All the three tools are proven effective with their own exclusive features. Understanding the specific features of each of them and their differences will help you in deciding which tool would suite your need the best.

The article ‘Open Source IDS High Performance Shootout’ by SANS helped me giving a detailed picture about a comparitive study between the three. I would like to summarise the key points for you.

Usage:

To give an overall picture, Snort and Suricata come under the category of a Signature based IDS while Bro could be called a behaviour based one. In Snort and Suricata, you need to specify rules based on already known knowledge about malwares. A sample rule set would like this:


alert tcp $EXTERNAL_NET any -> $HOME_NET 139
flow:to_server,established
content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"
msg:"EXPLOIT x86 linux samba overflow"
reference:bugtraq,1816
reference:cve,CVE-1999-0811
classtype:attempted-admin

Suricata also mention about a very similar rule set.

Fig reference here.

Bro has a very different approach compared to the idea of rules. Bro works with scripts. A sample Bro script looke like:

@load protocols/ssl/expiring-certs

const watched_servers: set[addr] = {
	87.98.220.10,
} &redef;

# Site::local_nets usually isn't something you need to modify if
# BroControl automatically sets it up from networks.cfg.  It's
# shown here for completeness.
redef Site::local_nets += {
	87.98.0.0/16,
};

hook Notice::policy(n: Notice::Info)
	{
	if ( n$note != SSL::Certificate_Expired )
		return;

	if ( n$id$resp_h !in watched_servers )
		return;

	add n$actions[Notice::ACTION_EMAIL];
	}

For someone with a typical linux scripting mindset, the bro scripts looks very appealing. Bro provides a totally new scripting language that makes it a highly flexible platform compared to Snort and Suricata. But from the perspective of a beginner, it might be as well hard to master the Bro scripting compared to understanding the Snort and Suricata rulesets.

Performance:

Snort is highly efficient in the scenario of moderate traffic with a single core processor. Based on architecture, snort uses 10% of CPU for parsing, 10-20% for normalisation and 70-80% of CPU for payload inspection and detection. In a test perfromed by SANS, Snort gave a perfomance of 500Mbps with 1 CPU core for 1000 signatures. For 4000 signatures, it required 2.4 CPU at a rate of 400 Mbps. It was found that a single instance of Snort is more efficient than Suricata with 50% less memory utilisation. Recent versions of Snort support PF-RING and PCAP acceleration providing support for higher traffic.

Suricata is more focused on large scale networks. In a way, it could be considered as an extension of Snort for large networks. In a scenario with a 45 CPU hosting 12 cores per CPU and 125 GB of RAM, the network throughput was 20 Gbps. Suricata had a very less packet drop of 7% while it was 53% in Snort. Suricata provides support for PF-Ring, AF packet, PCAP acceleration and NFLOG. It also works better with multi-threading. In snort the normalisation is performed for every instance while for Suricata and Bro, the normalisation is performed only once before multithreading. Suricata also support GPU cuda acceleration for pattern matching. There are also about 4000 file types build for file extraction and logging also providing MD5 matching.

Bro, as mentioned above is script driven IDS. Bro has support for clustering for high throughput environments. Bro provides a ‘worker’ based architecture to utilise multiple processors. Bro’s developers recommend allocating one core for every 80 Mbps of traffic that is being analysed. It also have features allowing to interact with other systems in the enterprise, send email messages, page on-call staff, or automatically terminate existing connections. Bro also works based on file hash extraction and matching with the use of publicaly available hash registers. It is important to notice that the processing per core is significantly low compared to Snort or Suricata. But Bro has built in capacity to spread the load across multiple machines via Bro cluster thereby proving greater scalability. But there have some research showing that the overhead of distributed processing slows down the performance. Thus the performance acceleration is applicable onlz till a certain saturation point.

 Snort is the perfect solution for a moderate traffic scenario, about 400 Mbps. There are also acceleration support like PFRing in the newer versions aimed at solving the high throughput scenarios. But for high thoughput systems with 10Gbps or more, Suricata is better due to its extensive support for large scalability. ISPs using 20Gbps could use Suricata effectively. Bro could be considered as a high throughput research environment due to its great flexibility. Its powerful scripting features is definitly a greater advantage compared to the rule sets in Snort or Suricata.

Reference :

[1] http://www.sans.org/reading-room/whitepapers/intrusion/open-source-ids-high-performance-shootout-35772

[2] https://www.snort.org/documents

[3] https://www.bro.org/documentation/index.html

[4] Sample snort signatures: http://www.icir.org/vern/cs294-28.Spr09/notes/NIDS.pdf

Advertisements