IDS/IPS Benchmarking: Snort & Alternatives

TL;DR

This guide shows you how to compare the performance of different Intrusion Detection and Prevention Systems (IDS/IPS) like Snort, Suricata, and Zeek. We’ll cover setting up a test environment, generating traffic, running tests, and analysing results to find the best solution for your network.

Setting Up Your Test Environment

1. Virtual Machines: Use virtual machines (VMs) like VirtualBox or VMware. This isolates testing from your production network. Allocate sufficient resources (CPU, RAM, disk space) to each VM based on the IDS/IPS requirements.
2. Operating System: Install a common Linux distribution (e.g., Ubuntu Server, CentOS) on all VMs – one for the IDS/IPS and another as the traffic generator.
3. Network Configuration: Configure a bridged network adapter in your VMs so they can communicate directly with each other and simulate real-world traffic flow. Ensure proper IP addressing and routing.

Choosing Your IDS/IPS

We’ll focus on Snort, Suricata, and Zeek as examples. Install them on the dedicated VM.

• Snort:

  sudo apt update && sudo apt install snort

• Suricata:

  sudo apt update && sudo apt install suricata

• Zeek (formerly Bro): Installation is more complex; refer to the official Zeek documentation for detailed instructions: https://zeek.org/docs/

Generating Test Traffic

1. Traffic Tools: Use tools like tcpreplay, hping3, or scapy to generate realistic network traffic. tcpreplay is good for replaying captured PCAP files.
2. PCAP Files: Download publicly available PCAP files containing various attack scenarios (e.g., malware downloads, port scans, DDoS attacks) from resources like PacketTotal or Malware Traffic Analysis.
3. Traffic Profiles: Create different traffic profiles – low volume, medium volume, high volume – to simulate varying network loads.

Running the Benchmarks

1. Snort Configuration: Configure Snort with a basic rule set (e.g., Emerging Threats Open). Edit /etc/snort/snort.conf to specify your home network and interface.
2. Suricata Configuration: Suricata uses similar configuration files as Snort. Adjust the suricata.yaml file accordingly.
3. Zeek Configuration: Zeek requires more extensive configuration, defining protocols and scripts for analysis.
4. Start IDS/IPS: Start each IDS/IPS in a separate terminal window.
   • Snort:

     sudo snort -c /etc/snort/snort.conf -i eth0

     (replace eth0 with your interface)

   • Suricata:

     sudo suricata -c /etc/suricata/suricata.yaml -i eth0

     (replace eth0 with your interface)

   • Zeek:

     zeek -C /etc/zeek/zeek.conf

5. Replay Traffic: Use tcpreplay to replay the PCAP files against the network interface.

   sudo tcpreplay -i eth0 your_pcap_file.pcap

   (replace eth0 and your_pcap_file.pcap)

6. Monitor Performance: Use tools like top, htop, or vmstat to monitor CPU usage, memory consumption, and disk I/O of each IDS/IPS during the traffic replay.

Analysing Results

1. Alert Volume: Compare the number of alerts generated by each IDS/IPS for the same PCAP file. Too many false positives can be as problematic as missed attacks.
2. CPU Usage: Measure the average CPU usage during traffic replay. Lower CPU usage indicates better performance.
3. Memory Consumption: Track memory consumption to ensure the IDS/IPS doesn’t exhaust system resources.
4. Latency: If possible, measure network latency introduced by each IDS/IPS. High latency can impact application performance.
5. Rule Coverage: Evaluate the rule sets available for each IDS/IPS and their coverage of known attack signatures.

Reporting

Document your findings in a report, including:

• Test environment setup details
• IDS/IPS configurations used
• Traffic profiles generated
• Performance metrics collected (CPU usage, memory consumption, alert volume)
• Comparison of results and recommendations for your network.