Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical components of any defense-in-depth security strategy. Snort and Suricata are the two most widely deployed open-source solutions, each offering powerful capabilities for real-time traffic analysis, protocol detection, and threat identification.
This guide covers the complete setup of both tools on Linux, from installation through advanced rule writing and performance optimization.
Snort vs. Suricata: Choosing the Right Tool
| Feature | Snort 3 | Suricata |
|---|---|---|
| Threading | Multi-threaded | Multi-threaded (native) |
| Protocol Detection | Deep packet inspection | Application layer detection |
| Rule Compatibility | Snort rules | Snort + Suricata rules |
| Output | Unified2, JSON | EVE JSON (rich) |
| IPS Mode | Inline mode | NFQ/AF_PACKET inline |
Installing Suricata on Linux
# Ubuntu/Debian
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata suricata-update
# Verify installation
suricata --build-info | head -20
suricata -V
# Download and update rules
sudo suricata-update
sudo suricata-update list-sources
sudo suricata-update enable-source et/open
sudo suricata-updateConfiguring Suricata
# /etc/suricata/suricata.yaml - Key configuration sections
vars:
address-groups:
HOME_NET: "[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
# Capture settings
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
# EVE JSON logging (recommended)
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
tagged-packets: yes
- http:
extended: yes
- dns
- tls:
extended: yes
- files:
force-magic: yes
- ssh
- flow
# Detection engine
detect:
profile: high
custom-values:
toclient-groups: 50
toserver-groups: 50
inspection-recursion-limit: 3000Installing Snort 3
# Install dependencies
sudo apt install build-essential libpcap-dev libpcre3-dev \
libnet1-dev zlib1g-dev luajit hwloc libdnet-dev \
libdumbnet-dev bison flex liblzma-dev openssl libssl-dev
# Download and compile Snort 3
wget https://github.com/snort3/snort3/archive/refs/heads/master.tar.gz
tar xzf master.tar.gz && cd snort3-master
./configure_cmake.sh --prefix=/usr/local
cd build && make -j$(nproc) && sudo make install
# Verify
snort -VWriting Custom IDS Rules
# Suricata/Snort compatible rule format:
# action protocol src_ip src_port -> dst_ip dst_port (options)
# Detect SSH brute force attempts
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"SSH Brute Force Attempt"; \
flow:to_server,established; \
threshold:type both, track by_src, count 5, seconds 60; \
classtype:attempted-admin; sid:1000001; rev:1;)
# Detect SQL injection in HTTP requests
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any \
(msg:"SQL Injection Attempt Detected"; \
flow:to_server,established; \
content:"UNION"; nocase; \
content:"SELECT"; nocase; distance:0; \
classtype:web-application-attack; sid:1000002; rev:1;)
# Detect cryptocurrency mining traffic
alert tls any any -> any any \
(msg:"Possible Crypto Mining - TLS SNI"; \
tls.sni; content:"pool."; \
classtype:policy-violation; sid:1000003; rev:1;)
# Detect data exfiltration via DNS
alert dns any any -> any any \
(msg:"Suspicious DNS Query - Possible Data Exfiltration"; \
dns.query; content:"."; offset:60; \
threshold:type both, track by_src, count 100, seconds 60; \
classtype:trojan-activity; sid:1000004; rev:1;)Running in IPS Mode
# Suricata IPS with NFQ
sudo suricata -c /etc/suricata/suricata.yaml -q 0
# Configure iptables to send traffic through Suricata
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
sudo iptables -I INPUT -j NFQUEUE --queue-num 0
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 0
# Start as systemd service
sudo systemctl enable suricata
sudo systemctl start suricata
# Monitor in real-time
tail -f /var/log/suricata/eve.json | jq "select(.event_type==\"alert\")"Alert Management and Monitoring
#!/bin/bash
# suricata-alert-monitor.sh
# Parse EVE JSON alerts and send notifications
LOG="/var/log/suricata/eve.json"
SEVERITY_THRESHOLD=2
tail -F $LOG | jq --unbuffered -r \
"select(.event_type==\"alert\" and .alert.severity <= $SEVERITY_THRESHOLD) | \
\"[\(.timestamp)] SEVERITY \(.alert.severity): \(.alert.signature) | \
SRC: \(.src_ip):\(.src_port) -> DST: \(.dest_ip):\(.dest_port)\"" | \
while read -r ALERT; do
echo "$ALERT"
echo "$ALERT" | mail -s "IDS Alert: $(hostname)" security@example.com
donePerformance Tuning
# Optimize for high-throughput networks
# 1. CPU affinity - Pin Suricata to specific cores
# /etc/suricata/suricata.yaml
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [0]
- receive-cpu-set:
cpu: [1, 2]
- worker-cpu-set:
cpu: [3, 4, 5, 6]
mode: "exclusive"
# 2. Memory optimization
detect:
memcap: 4gb
# 3. Hardware offloading
sudo ethtool -K eth0 gro off lro off
sudo ethtool -G eth0 rx 4096 tx 4096
# 4. Check performance stats
suricatasc -c "dump-counters" | grep -E "detect|capture|decoder"Recommended Reading
Build your network security expertise:
Download our IDS/IPS Quick Reference Cheat Sheet for a printable command reference.
