Comparative Analysis of the Performance of Network Intrusion Detection Systems: Snort, Suricata and Bro Intrusion Detection Systems in Perspective

There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro. The comparative analysis of these intrusion detection systems was carried out to present an independent view of their performance regarding intrusion detection. It took into consideration their effectiveness in detecting Denial of Service, probe, scan, User-to-Local and User-to-Root attacks and also detection accuracy in terms of false positive, false negative and true positive alarms. All three IDS were installed on virtual machines with the same specification with a network switch linking them to a target server in a virtual environment using maximum Ethernet speed of 5Gigabits per second (Gbps). False positive, false negative and true positive alarm rates of Snort, Suricata and Bro IDSs have also been determined in this work through the injection of normal and malicious attacks such as DoS, probe, scan and user-to-root. Transmission Control Protocol, User Datagram Protocol and Internet Control Message Protocol were the normal traffic used.