-
Notifications
You must be signed in to change notification settings - Fork 225
Snort vs Suricata vs Sagan
Homepage: http://www.snort.org/
Snort is the oldest, most proven open source Network Intrusion Detection System (NIDS). It has a user base of nearly 400,000 people and is well documented for Windows, many Linux variants, and the BSDs. It's current limitation is that it is single-threaded, so it does not take advantage of multi-core machines without special configurations.
Homepage: http://www.openinfosecfoundation.org/index.php/download-suricata
Suricata is a younger NIDS, though fast in development. It is partly funded by the Department of Homeland Security's Directorate for Science and Technology and is designed to work with the Snort rulesets. It is best known for it's efficiency, though it can be a double-edged sword. It is best to use the Emerging Threats or Emerging Threats Pro ruleses with Suricata, as they design their rules for full optimizing with Suricata. If you're using a single core box, it is best to use Snort. However, Suricata does show it's speed with multi-core boxes running a ruleset optimized for Suricata. (reference: http://www.inliniac.net/blog/2010/07/22/on-suricata-performance.html)
Homepage: http://sagan.softwink.com/
Sagan is a Host Instruction Detection System (HIDS), designed to be deployed on servers and workstations. It should not be considered comparable to Snort or Suricata, as it's visibility into an attack is from the host level compared to the network level. Above most HIDS, Sagan has the ability to correlate with Snort events, making it similar to a Security Information and Log Management (SIEM) system. For those familiar with Snort and Suricata rule writing, they will find it easy to write rules for Sagan. At this time, Sagan is for Linux only and does not support Windows.