Bench marking Snort and other IDS/IPS

Question

I am looking for facts and figures of research or surveys done which have bench-marked Snort with other IDS/IPS on various parameters like overall performance, accuracy, speed, documentation, scalability etc.

Answer 1

That's a very general question.

Your concern should not just in relation to Snort, it all depends on the platform that you install it on (o/s - yes it does run on Windows, CPU, memory etc) and what elements (pre-processors for fragmentation or stream reassembly) of Snort that you enable (look in the configuration file, typically /etc/snort.conf, for more information) and what rules you enable or add.

If you want to test it, I'd suggest downloading Security Onion (http://securityonion.blogspot.com), a Xubuntu-based Network Security Monitoring distro, as it comes with both Snort and Suricata. It is a fantastic project and so easy to learn with as everything is essentially pre-configured. (Disclaimer: I try to help out with the Security Onion project).

Snort is very scalable and I know is actively used in networks with over 20gb/s but remember the platform aspect above.

Additionally, both Snort and Suricata have active mailing lists for their users where such performance issues are actively discussed.

I'm sure vendors like Tipping Point, Sourcefire (commercial aspect of Snort), Enterasys (if they're still around), Cisco etc have comparison whitepapers on their sites but beware their bias.

Regarding the 'rule size' and 'accuracy' aspects, these are becoming like the AV industry a little now with the "I'm bigger than you argument".

Here's some links for you -

http://www.aldeid.com/wiki/Suricata-vs-snort

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,7913.msg42307/topicseen,1/

and an old one

http://www.infosyssec.com/forum/viewtopic.php?t=14