Comparison of open source network intrusion detection systems

Many companies and organizations offer IT-services (news papers, social sites, web developers and etc.) to the public, and those services needs to be protected. The amount of computer threats are increasing drastically, and many attacks are directed to those services companies offer. Larger companies have the economy to buy expensive security tools to protect their services, while smaller companies may have the same economy. Open source is an interesting field for those who do not have the need or the economy to buy expensive security solutions. Intrusion detection system is a well known security tool, and it could either be bought as a payment solution, or be downloaded from the web as an open source solution. Snort, Bro and Suricata are three different open source network intrusion detection systems. By comparing installation, configuration, alarms and information one can find out which solution that fits your network best. The process of setting up the test environment, installation and configuration of Snort, Bro and Suricata, and installation of Metasploit have been a time consuming process. Snort, Bro and Suricata have been tested in a network, and against a Metasploit framework with known exploits. Running Snort, Bro and Suricata in a network, have shown huge differences regarding the number of alarms produced, and also differences in the logs produced. The results after running Metasploit showed some unexpected but clarifying results in the logs created. The whole process has been evaluated, and there has been given a summary of Snort, Bro and Suricata regarding installation, configuration and alarms.