Ideally, each of these solutions has its own unique strength. A rules-based solution is great for known threats, and having a solution that is compatible with Snort Rules – one of the largest categories of public and private repositories of threat intelligence – is certainly beneficial. Suricata allows for high-performance traffic inspection, which means you are able to process more rules against larger volumes of traffic. Ultimately, you can’t detect what you don’t see, so performance provides a measurable benefit.
In this paper, we will discuss these differences at a high level, the strengths and weaknesses, and when and how to use each from a best practice standpoint.