24 Apr Suricata, Snort and Zeek: 3 Open Source Technologies for Securing Modern Networks
The benefits of open source technology are centered on lower costs and the wisdom of a dedicated community. Open source software does not have the licensing fees associated with proprietary software, and there’s an ecosystem of support around a given technology.
The security industry has similar options available in cyber tools to shore up defenses. The Bricata solution uses a combination of open source and proprietary technologies in our sensors, and so we’ve worked to foster relationships and knowledge around these.
We recently published a white paper on three open source technologies used in intrusion detection and prevention systems (IDS/IPS): Zeek [formerly known as Bro] vs. Snort or Suricata. While we’d invite you to read the entire paper, we have summarized some of the key concepts about each technology, along with additional resources below.
1) Snort Intrusion Detection and Prevention
Snort is an open source intrusion detection system (IDS) and intrusion protection system (IPS) originally developed in 1998. Snort made it incredibly simple to use new threat intelligence to write Snort rules that would detect emerging threats.
The Snort website notes, “Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works.”
To put it another way, Snort rules provide a simple definition that helps specify unique characteristics of network traffic, trigger an alert when those conditions are met, and drop or block the communication as the user settings desire.
The advantage of Snort is that the technology enjoys a fairly broad adoption rate which lends itself to fast remedies for emerging threats. For example, a Snort Rule was available to monitor for the vulnerability at the center of the Equifax breach about a day after it was announced.
The disadvantage of Snort stems from its age. Snort is 20-years-old and was designed to run on older infrastructure. Though rules are relatively easy to write, it’s become challenging to adapt these for increasingly complex threats and the demands of high-speed networks.
Specifically, the complications have emerged around IPv6 and multi-threading, which has improved processing speeds.
It’s worth pointing out that in many ways Snort was commercialized largely by Sourcefire, another Columbia-based startup that was acquired by Cisco in 2013. The former CEO of Sourcefire, John Becker, is a member of the Bricata Board of Directors today.
Additional Snort resources:
- Snort FAQs | Snort Blog | Snort Webcasts | Twitter: @Snort
- SANS Institute: Using Snort for a Distributed Intrusion Detection System
- Hacktress: What is Snort?
See these related posts:
Here is How Open Source DIY Fatigue Saps Cybersecurity Resources
Three Triggers Telling You It’s Time to Reconsider Your Network Security Strategy
13 Big Cybersecurity Ideas for the CISO by CISOs
2) Suricata Intrusion Detection and Prevention
Suricata was introduced in 2009 in an attempt to meet the demands of modern infrastructure. Like Snort, Suricata is rules-based and while it offers compatibility with Snort Rules, it also introduced multi-threading, which provides the theoretical ability to process more rules across faster networks, with larger traffic volumes, on the same hardware.
“Because it is multi-threaded, one instance will balance the load of processing across every processor on a sensor Suricata is configured to use, allowing commodity hardware to achieve 10-gigabit speeds without sacrificing ruleset coverage,” according to eSecurityPlanet.
Suricata also incorporated the Lua scripting language which provided greater flexibility to create rules that identify conditions that would be difficult or impossible with a legacy Snort Rule. In simple terms, this enables users to adapt Suricata to the complex threats that commonly face the enterprise.
The downside to Suricata it is a little more involved to install and the community is smaller than what Snort has amassed, but that may be changing. Suricata is developed by the Open Information Security Foundation (OISF).
Additional Suricata resources:
- Suricata News | Twitter: @Suricata_IDS
- Bricata blog: What is Suricata? Intro to a Best of Breed Open Source IDS and IPS
- SANS Institute: Open Source IDS High-Performance Shootout
- Reddit: Is Suricata actually useful?
3) Zeek Network Security Monitor
Zeek (formerly known as Bro) is an intrusion detection system that works differently from other systems because of its focus on network analysis. While rules-based engines are designed to detect an exception, Zeek looks for specific threats and trigger alerts.
While Zeek IDS can certainly be used as a traditional IDS, users more frequently use Zeek to record detailed network behavior. For example, it can be used to keep long-term records of all HTTP requests and results – or tables correlating MAC and IP addresses.
Zeek stores the network metadata it records more efficiently than packet captures, which means it can be searched, indexed, queried, and reported in ways previously unavailable. This makes Bro especially well-suited for network anomaly detection and threat hunting.
If the flexibility is an advantage, a disadvantage is that Bro, with its deep-packet inspection, is resources intensive. It’s worth noting that threat intelligence is more readily available through Snort or Suricata. To that end, Bro is fairly complicated to use, though the community is actively working to make this easier.
Bro gets it namesake from “big brother” and has been in development since 1995, but the project received greater support and attention following a grant from the National Science Foundation in 2010. For some time, Bro was considered a best-kept secret in cybersecurity, but the tool is gaining traction due to its unique flexibility and capabilities.
Additional Zeek resources:
- Zeek FAQs | Zeek YouTube Channel | Zeek Community| Twitter: @Zeekurity
- SANS Institute: Web Application Attack Analysis Using Bro IDS
- Bricata blog: What is Zeek [formerly known as Bro]? And Why IDS Doesn’t Effectively Describe It [Overview and Resources]
- Bricata blog: Network Visibility: Can You Analyze Encrypted Traffic for Cybersecurity Threats?
* * *
The real power in these open source tools isn’t about any one tool being better, but rather the advantages of each and be melded to work better together. That’s what Bricata has been focused on – examining threats from multiple perspectives to block or prevent known threats, identify anomalies that could be threats and hunt down those threats that are hiding.
>>> Note: The full paper – Zeek vs. Snort or Suricata – is a quick read.
If you enjoyed this post, you might also like:
7 Key Cybersecurity Factors Shaping Threat Hunting Technologies