Robert, 1. Snort engine has its various limitations, unless we have reservations to use it. Instead , we can go with Suricata.
2. Suricata is multithreaded against snort which is single threaded. Performance is one big issue with snort. 3. snort works under dual license mode, controlled by its parent company sourcefire which releases signatures after two weeks( or so ) as to community releases and sometimes the releases and development features of snort are as well controlled by them with no signatures for new and zero day detections, In NIDS space, i heard that suricata has lot of support in terms of signature development. 4. Snort purely works on PCRE rule parsers, the protocol state machine and as well inline engine support for snort is relatively not advanced. It adds lot of performance drain during its preprocessing cycle. For IPS\IDS, you may wanted to add threat detection based not only on signatures and rules. You may also be interested in DOS, DDOS and various other traffic profile and behavorial aspects of IPS. It lacks in these aspects relatively. 5. Added with it, if you wanted to add multiple IPV6 packet processing. Snort some times eats up the heap crazily. 6. Adding a new extension to snort EX: APPID detection is equally not easy. The engine structure for suricata assumably is far better to add new plugin addition EX: APP detection at various layers. 7. If you wanted to do packet processing and detection using single pass, then snort would not be any option, not i believe it supports. State machine for snort during session based protocols was not much supported or may require addons to support it by default. Advanced evasions, new app threat detection in snort EX: Evading js exploits in pdf files relatively requires new protocol and app detection. For traditional IDS,you may wanted to consider snort, instead i would recommend suricata. Thanks! Santhosh ________________________________________ From: Robert Bruce [precious.king...@gmail.com] Sent: Monday, November 18, 2013 10:18 AM To: users@cloudstack.apache.org Subject: Re: Distributed Intrusion Detection System in Cloud Computing Hello everyone! I want to develop a Signature Based Distributed Intrusion Detection System (DIDS) to detect distributed intrusions in Cloud environment. Yes, I intend to deploy it in CloudStack. I want to modify the correlation module to enhance detection capability already being provided by Snort. Can you please help me in selection of a good technique to improve correlation module? Thanks and Regards, Robert
