Performance analysis of two open source intrusion detection systems

Several studies have been conducted where authors compared the performance of open source Intrusion detection systems, namely Snort and Suricata. However, most studies were limited to either security indicators or performance measurements under the same operating system. The objective of this study is to give a comprehensive analysis of both products in terms of several security related and performance related indicators. In addition, we tested the products under two different operating systems. Several experiments were run to evaluate the effects of open source intrusion detection and prevention systems Snort and Suricata, operating systems Windows, Linux and various attack types on system resource usage, dropped packets rate and ability to detect intrusions. The results show that Suricata has a higher CPU and RAM utilization than Snort in all cases on both operating systems, but lower percentage of dropped packets when evaluated during five of six simulated attacks. Both products had the same number of correctly identified intrusions. The results show that Linux-based solutions consume more system resources, but Windows-based systems had a higher rate of dropped packets. This indicates that these two intrusion detection and prevention systems should be run on Linux. However, both systems are inappropriate for high volumes of traffic in single-server setting.