Intrusion Detection Suricata or SNORT?

I’m interested in getting an IDS and particularly an IPS set up on my network. Part of the reason I wanted such a high performance router. Now, I know that upstream OpenWRT leans in the direction of snort, I can find some docs and blogposts about the combination, but I also know that the turris folks use suricata to capture data for PaKon so that may have decent support on TOS. It also seems that (other than beta SNORT++ on TOS 5) the packages for both and a little out of date, I’m not sure how big of an issue that might be.

The main thing I’m asking is, "What IDS would you choose on the Omnia and why?"

Also, if you have any good resources for learning about either of these bookmarked I’d really appreciate it if you shared them.

1 Like

Be wary of your expectations in this regard

Similar [OpenWrt Wiki] Snort

SNORT takes an absurd amount of memory and processing power with rules, BEWARE.

Snort packaging is maintained upstream and not high on their agenda Layer 7 Firewall on Openwrt - #2 by juppin - Installing and Using OpenWrt - OpenWrt Forum

1 Like

Absurd might be in the Omnia’s territory by embedded networking device standards. And I don’t really need super duper high speeds right now, wan is limited to ~60Mbps for me and internally I don’t really use gigabit. As long as latency isn’t walloped it should be ok.

Regardless, I think there is a way to do the collection on the omnia and offload much of the processing to some other device. A router is made to rout data to places after all. That would be fine, if maybe not ideal.

There is something potentially quite interesting here:

And they have it running on this substantially less capable tp-link router. They are looking at integrating with netfilter which would lead to even better resource usage.

Jesus. it looks very interesting! Thanks for sharing.