Open Source IDS High Performance Shootout

For many years, Snort has been the de facto open-source IDS/IPS solution, with the program's architects focused on improving the performance of this single-thread model. However, the demand for high-throughput IDS has increased as the average network throughput has increased from 1 Gbps to 10 Gbps, with 40 Gbps slated to become mainstream in the near future. In response, several other open-source projects have adopted a multi-threading approach to scaling IDS performance to meet the increasing demand for multi-gigabit analysis. As a result, Bro and Suricata are now viable candidates to replace Snort and are attempting to fill in the multi-threading gap left by Snort while leveraging existing Snort rule sets and third-party tools. Suricata and Bro have also introduced new features that were not originally explored by Snort, such as GeoIP lookups. Suricata is attempting to introduce GPU acceleration and IP reputation features to increase its throughput and compete with commercial IDS/IPS solutions that currently offer IP reputation functionality. To remain competitive, Snort has added a multi-instance feature to its 2.9 release to address its single-thread limitation and has indicated that version 3.0 will be multi-threaded by default. For a long time, Snort was the only player in the open-source IDS/IPS market, but now the industry is reaping the benefits of changing demands and increased competition through the introduction of new features and their integration with existing advantageous features.