Suricata vs Snort: Network Intrusion Detection That Actually Works

Your firewall has a job: block traffic on ports you didn’t tell it to open. It’s a bouncer at the door, checking IDs. But here’s what the firewall can’t see: the dude with a fake ID who looks kinda normal. That’s where intrusion detection comes in.

An IDS (Intrusion Detection System) watches what actually flows through your network and flags patterns that look sketchy—malware signatures, SQL injection attempts, port scans, protocol anomalies, that kind of thing. It’s a security camera pointed at your packets. An IPS (Intrusion Prevention System) goes further and blocks the bad stuff in real-time, acting as a bouncer with actual muscle.

Snort invented this game back in 1998. It’s the grandfather of network security monitoring, and it still works. But Snort is single-threaded—one core, checking packets in order, creating a bottleneck. Suricata came along in 2010 with multi-threading baked in from day one. It’s the modern version, faster, with better logging and more protocol parsers. Both use the same rule syntax, but Suricata is what you want for your home lab in 2026.

Snort: The Pioneer

Snort does three things:

1. Sniffer mode — Just captures packets (basically tcpdump)
2. Packet logger mode — Captures and logs packets matching rules
3. Network IDS/IPS mode — Real-time detection and (in inline mode) blocking

Snort rules are readable and human-maintainable. Here’s an example that detects a port scan:

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
  (msg:"Potential port scan"; flags:S,12; \
  threshold:type both,track by_dst,count 15,seconds 60; \
  classtype:attempted-recon; sid:1000001; rev:1;)

This triggers if your internal network gets 15+ TCP SYN packets (port scan indicator) from outside in 60 seconds. Snort runs on a single thread by default, so under heavy load it drops packets and misses signatures. That’s not a deal-breaker for home use, but it’s a ceiling.

Snort pulls rules from:

• Community rules (free, basic signatures)
• ET Open (Emerging Threats, more comprehensive, what you actually want)
• Talos rules (Cisco’s premium ruleset, requires registration)

The catch: Snort 2.x reached end-of-life in 2021. Snort 3.x exists but fragmented the ecosystem. Most production deployments and tutorials still use 2.x.

Suricata: The Multi-Threaded Upgrade

Suricata speaks the same rule language as Snort but runs on all your CPU cores and logs differently. Instead of text logs, it outputs Eve JSON — structured, queryable, syslog-ready. You can pipe Eve JSON straight into Elasticsearch, Loki, Splunk, or a SIEM.

Same rule from above, written for Suricata:

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
  (msg:"Potential port scan"; flags:S,12; \
  threshold:type both,track by_dst,count 15,seconds 60; \
  classtype:attempted-recon; sid:1000001; rev:1;)

Identical. But Suricata also has:

• Multi-threaded packet processing — saturates all cores
• Protocol-aware parsing — understands DNS, TLS, HTTP, SMB, NFS deeply
• Output plugins — Eve JSON, syslog, Redis, file alerts
• Lua scripting — write custom detection logic
• Active response — can send TCP RSTs or ICMP unreachables inline

And here’s the kicker: Suricata is actively maintained by the Open Information Security Foundation (OISF). New rules drop constantly.

Installation: Suricata on Ubuntu 22.04

sudo apt update && sudo apt install -y suricata suricata-update
sudo systemctl start suricata
sudo systemctl status suricata

Check logs:

tail -f /var/log/suricata/suricata.log

Rule management with suricata-update:

sudo suricata-update list-sources

This shows available rule sources. Add ET Open (Emerging Threats):

sudo suricata-update enable-source et/open
sudo suricata-update
sudo systemctl restart suricata

Check what rules loaded:

sudo suricata-update list-enabled-sources
sudo grep -c "^alert\|^drop" /etc/suricata/rules/suricata.rules

You’ll see 10,000+ rules now.

Reading a Real Rule

Here’s a Suricata rule that detects a basic SQL injection attempt:

alert http $EXTERNAL_NET any -> $HOME_NET any \
  (msg:"Possible SQL injection attempt"; \
  flow:to_server,established; \
  content:"GET"; http_method; \
  content:"union"; http_uri; \
  content:"select"; http_uri; \
  classtype:web-application-attack; \
  sid:1000100; rev:2; metadata: policy balanced-ips drop, policy security-ips drop;)

Breaking it down:

• alert http — Trigger an alert for HTTP traffic
• $EXTERNAL_NET any -> $HOME_NET any — External to internal, any port
• flow:to_server,established — Only on established flows (not initial handshake)
• content:"GET"; http_method — Literal match on HTTP method
• content:"union"; http_uri — Match union in the URI
• content:"select"; http_uri — Match select in the URI
• classtype:web-application-attack — Categorize as web app attack
• sid:1000100; rev:2 — Signature ID and revision
• metadata:... — Policy rules for inline mode

In IDS mode (default), Suricata logs this. In IPS mode (inline), it blocks it.

Eve JSON: Your Eyes on Network Traffic

Suricata writes alerts to /var/log/suricata/eve.json. Each alert is a JSON object:

tail -f /var/log/suricata/eve.json | jq '.event_type'

Filter for alerts only:

cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

Parse the alert details:

cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | {src_ip: .src_ip, dest_ip: .dest_ip, msg: .alert.signature, action: .alert.action}'

Output:

{
  "src_ip": "203.0.113.45",
  "dest_ip": "192.168.1.50",
  "msg": "Potential port scan",
  "action": "alert"
}

This is pluggable. Pipe Eve JSON to Filebeat → Elasticsearch → Kibana, or use Promtail → Loki → Grafana. You now have queryable, real-time visibility into intrusions.

IDS vs IPS: The Trade-Off

IDS mode (default):

• Suricata watches, logs, doesn’t block
• Zero impact on legitimate traffic
• False positives are just noise in your logs
• You tune and tune, manually blocking bad IPs upstream

IPS mode (inline):

• Suricata actively drops packets it flags
• One false positive means a user’s upload breaks
• But actual attacks get blocked instantly
• Requires a homerun for rule tuning before you enable it

For a home lab? Start IDS. Let it run for a month. Understand what’s normal. Then, carefully enable IPS on a few high-confidence rules.

Home Lab Setup

Deploy Suricata on your gateway or directly on a Docker host. A typical setup:

1. Tap or mirror traffic — Use a managed switch’s SPAN port or Linux bridge to mirror WAN to a monitoring interface
2. Run Suricata — Let it sniff and alert
3. Export Eve JSON — Pipe to Filebeat or Promtail
4. Visualize — Kibana or Grafana dashboards showing top attackers, signature hits, protocol anomalies

Don’t overthink it. Even basic IDS on your home network will catch port scans, brute-force attempts, and malware callbacks that your firewall missed.

Which One?

Snort: If you’re learning, have an old box, or need single-threaded simplicity. It works.

Suricata: If you want modern tooling, better performance, structured logging, and active maintainers. Use this.

Both speak the same rule language. Both will protect you. But Suricata is the one that scales beyond your home lab and doesn’t drop packets under load.

Pick Suricata. Spend an afternoon tuning rules. Sleep better knowing your network is actually watching itself.