NIDS stands for Network Intrusion Detection System. It is a means of monitoring network traffic, looking for specific activity, and generating alerts.
Security Onion can run either Snort or Suricata as its Network Intrusion Detection System (NIDS). When you run Setup and choose Evaluation Mode, it will automatically default to Snort. If you choose Production Mode, you will be asked to choose whether you want to run Snort or Suricata.
In Security Onion, we compile both Snort and Suricata to support PF-RING for higher performance. Suricata also supports AF-PACKET as an alternative. Modern versions of Setup default to running Suricata in AF-PACKET mode.
You can analyze NIDS alerts from Snort/Suricata via:
Note
If you’re running the Snort Talos ruleset, Snort Shared Object rules will not load in Suricata. Most folks who choose the Suricata engine choose to run the Emerging Threats ruleset.
sudo so-sensor-stop sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf sudo rule-update sudo so-sensor-start
sudo so-sensor-stop sudo sed -i 's|ENGINE=suricata|ENGINE=snort|g' /etc/nsm/securityonion.conf sudo rule-update sudo so-sensor-start
From the Master Server, run:
sudo so-sensor-stop sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf sudo rule-update sudo so-sensor-start #The remaining commands assume all sensor hostnames contain "securityonionsensor" sudo salt '*securityonionsensor*' cmd.run 'so-sensor-stop' sudo salt '*securityonionsensor*' cmd.run 'sed -i "s|ENGINE=snort|ENGINE=suricata|g" /etc/nsm/securityonion.conf' sudo salt '*securityonionsensor*' state.highstate sudo salt '*securityonionsensor*' cmd.run 'so-sensor-start'
Security Onion is designed to be passive and so Snort and Suricata run in NIDS mode rather than NIPS (inline) mode. Running in NIPS mode would require manual configuration and we do not recommend or support it.