A comparative analysis of the Snort and Suricata

400;”>Bro gave worker-based architecture to use multiple processors. we can note that CPU usage in a normal state is 46 ,4% and CPU usage when testing is 58,2 % . Concerning RAM snort use 46,4% of ram in a normal state and 55% when testing .Snort is the ideal solution for a moderate traffic scenario, around 400 Mbps. There is also acceleration support like PFRing in the newer versions aimed at solving the high throughput scenarios. But suricata is better for high thoughput systems with 10Gbps or more thanks to its extensive support for huge scalability. ISPs using 20Gbps use suricata effectively. Bro could be considered as a high throughput research environment thanks to its great flexibility. Its powerful scripting features are definitely an advantage compared to the standard sets in Snort or suricata. Suricata performs better than Snort, suricata can manage larger volumes of traffic than Snort with similar accuracy. His performance increases more or less linearly with the number of processors. However, there is no significant advantage in speed or accuracy of suricata in comparison with Snort observed in a certain amount of cases. The results concerning false positive and false negative can be explained by the weaknesses of the set of rules used for testing. It is inconclusive whether suricata or Snort has a better detection algorithm, but a 64-bit machine is recommended for both to allow loading comprehensive rules.

The ability to use multi-threading techniques in a multi-CPU environment will leverage suricata in the future while network traffic is continuously increasing. But Snort can remain in service for the near future before suricata becomes more stable, In snort, the normalization is performed for every instance while for suricata and Bro, the normalization is performed only once before multithreading. In this article, we started by introducing what is a smart city and we say that smart city is an urban area that uses different sensors to collect electronic data to provide information to effectively manage resources and assets. This includes data gathered from citizens, mechanical devices, assets, prepared and analyzed to monitor and manage systems circulation and transport, power plants, information systems, schools, libraries, and hospitals. After we presented the architecture of a smart city and the services of a smart city that are : smart home, smart cards, smart grid, smart healthcare, smart infrastructure, smart energy, smart industry, Then we presented an architecture that summarizes the process for collecting, analyzing data in a smart city, this architecture is organized according to four levels  :Data collection, Data processing, Data integration and reasoning, Data control and alerts, We found that this architecture is not secure because we have not a security layer especially in the level of data collection from the sensors which makes the services of the smart city vulnerable to attacks, after we classified the attacks according to four layers wish ate physical layer, data link layer , application layer and transport layer . In order to solve the security problem concerning the collection data from t sensors and send them to the data storage centers, a smart security system is proposed as a solution that will be adaptable to a smart environment, so we chose the detection intrusion system as a smart solution first we started by defining the intrusion detection systems that is a mechanism to identify abnormal or suspicious activity on the target being scanned (a network or a host). This provides insight into successful attempts as failed intrusions. In general, AN IDS is a sniffer coupled with an engine that analyzes traffic according to rules, which describe traffic to report. IDS is able to detect malware (virus, worm …), scan or sniff on a network and DOS or DDOS attacks, There are three types of IDSs types that are NIDS, HIDS, and IDS hybrid. As a smart solution that will be adaptable to a smart environment to solve the security problem concerning the level of data collection, we chose to make a comparative study on three solutions that are snort, bro and Suricata in order to choose a solution that will be suitable to our case.

After having defined snort, bro, Suricata and presenting the architecture of each of them we went to the comparison phase and we concluded that Suricata performs at least as well as Snort, and even better at most cases. Indeed, Suricata can handle larger volumes of traffic than Snort with similar accuracy. His performance increases more or less linearly with the number of processors. However, there is no significant advantage in speed or accuracy of Suricata in comparison with Snort observed in a certain amount of cases. The results concerning false positive and false negative can be explained by the weaknesses of the set of rules used for testing. It is inconclusive whether Suricata or Snort has a better detection algorithm, but a 64-bit machine is recommended for both to allow loading comprehensive rules. The ability to use multi-threading techniques in a multi-CPU environment will leverage Suricata in the future while network traffic is continuously increasing. But Snort can remain in service for the near future before Suricata becomes more stable.after the comparison phase we have to choose the best solution to apply it on a smart environment so we will choose Suricata as a solution, snort can also works with a smart environment ,but the best solution for a smart environment is suricata.

Several researchers have proposed intrusion detection systems that are based on snort bro and Suricata so as a future work we will first make a simulation of attack on a smart environment and as solution we will set up the ids Suricata for the defense against this attack on a smart environment , we will then propose our own solution for a smart environment  which will be based on Suricata and which will answer the objectives of security :integrity,availability,authentification.