NIDS stands for Network Intrusion Detection System. It is a means of monitoring network traffic, looking for specific activity, and generating alerts.
Security Onion can run either Snort or Suricata as its Network Intrusion Detection System (NIDS). When you run Setup and choose Evaluation Mode, it will automatically default to Snort. If you choose Production Mode, you will be asked to choose whether you want to run Snort or Suricata.
In Security Onion, we compile both Snort and Suricata to support PF-RING for higher performance. Suricata also supports AF-PACKET as an alternative. Modern versions of Setup default to running Suricata in AF-PACKET mode.
Switching from Snort to Suricata¶
Please note that, if you’re running the Snort Talos ruleset, Snort Shared Object rules will not load in Suricata. Most folks who choose the Suricata engine choose to run the Emerging Threats ruleset.
sudo so-sensor-stop sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf sudo rule-update sudo so-sensor-start
Switching from Suricata to Snort¶
sudo so-sensor-stop sudo sed -i 's|ENGINE=suricata|ENGINE=snort|g' /etc/nsm/securityonion.conf sudo rule-update sudo so-sensor-start
Security Onion is designed to be passive and so Snort and Suricata run in NIDS mode rather than NIPS (inline) mode. Running in NIPS mode would require manual configuration and we do not recommend or support it.