Snort is highly efficient in the scenario of moderate traffic with a single core processor, snort uses 10% of CPU for parsing, 10-20% for normalization and 70-80% of CPU for payload inspection and detection to explain more we can note that CPU usage in a normal state is 46 % and CPU usage when testing is 68 % . Concerning RAM snort use 71.7% of ram in a normal state and 76.1% when testing so It was found that a single instance of Snort is more efficient than Suricata with 50% less memory utilization.Suricata is more focused on large scale networks. In a way, it could be considered as an extension of Snort for large networks, using multiple CPU. Suricata uses 44.4% of CPU in normal state and 99% of CPU when testing Concerning RAM snort use69.9% of ram in a normal state and 73% when testing. Suricata offers support for PF-Ring, AF packet, PCAP acceleration, and NFLOG. It also works better with multi-threading. In snort, the normalization is performed for every instance while for Suricata and Bro, the normalization is performed only once before multithreading. Bro gave worker-based architecture to use multiple processors. we can note that CPU usage in a normal state is 46 ,4% and
In general, AN IDS is a sniffer coupled with an engine that analyzes traffic according to rules, which describe traffic to report. IDS is able to detect malware (virus, worm …), scan or sniff on a network and DOS or DDOS attacks, There are three types of IDSs types that are NIDS, HIDS, and IDS hybrid.As a smart solution that will be adaptable to a smart environment to solve the security problem concerning the level of data collection, we chose to make a comparative study on three solutions that are snort, bro and Suricata in order to choose a solution that will be suitable to our case.After having defined snort, bro, Suricata and presenting the architecture of each of them we went to the comparison phase and we concluded that Suricata performs at least as well as Snort, and even better at most cases. Indeed, Suricata can handle larger volumes of traffic than Snort with similar accuracy. His performance increases more or less linearly with the number of processors. However, there is no significant advantage in speed or accuracy of Suricata in comparison with Snort observed in a certain amount of cases. The results concerning false positive and false negative can be explained by the weaknesses of the set of rules used for testing. It is inconclusive whether Suricata or Snort has a better detection algorithm, but a 64-bit machine is recommended for both to allow loading comprehensive rules. The ability to use multi-threading techniques in a multi-CPU environment will leverage Suricata in the future while network traffic is continuously increasing. But Snort can remain in service for the near future before Suricata becomes more stable.after the comparison phase we have to choose the best solution to apply it on a smart environment so we will choose Suricata as a solution, snort can also works with a smart environment ,but the best solution for a smart environment is suricata.Several researchers have proposed intrusion detection systems that are based on snort bro and Suricata so as a future work we will first make a simulation of attack on a smart environment and as solution we will set up the ids Suricata for the defense against this attack on a smart environment , we will then propose our own solution for a smart environment which will be based on Suricata and which will answer the objectives of security :integrity,availability,authentification.