A comparative analysis of the Snort and Suricata intrusion-detection systems

Thumbnail Image
Files
11Sep_Albin.pdf (738.89 KB)
Authors
Albin, Eugene
Subjects
Advisors
Rowe, Neil C.
Date of Issue
2011-09
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Our research focuses on comparing the performance of two open-source intrusion-detection systems, Snort and Suricata, for detecting malicious activity on computer networks. Snort, the de-facto industry standard open-source solution, is a mature product that has been available for over a decade. Suricata, released two years ago, offers a new approach to signature-based intrusion detection and takes advantage of current technology such as process multithreading to improve processing speed. We ran each product on a multi-core computer and evaluated several hours of network traffic on the NPS backbone. We evaluated the speed, memory requirements, and accuracy of the detection engines in a variety of experiments. We conclude that Suricata will be able to handle larger volumes of traffic than Snort with similar accuracy, and thus recommend it for future needs at NPS since the Snort installation is approaching its bandwidth limits.
Type
Thesis
Description
URI
https://hdl.handle.net/10945/5480
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
xvii, 49 p. : ill. ;
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Collections
Theses