| Features | Bro | Snort | Suricata |
|---|---|---|---|
| Multi-Threaded Processing | No | No | Yes |
| Complete IPv6 Support | Yes | Some | Complete |
| IP Reputation | Somewhat | No | Yes (soon) |
| Automated Protocol Detection | Yes | No | Yes |
| GPU Acceleration | No | No | Yes (soon) |
| Global Variables/Flowbits | Yes | No | Yes (soon) |
| Inline Windows Support | No | No | Yes |
| GeoIP Lookups | Yes | No | Yes (soon) |
| Advanced HTTP Parsing | Yes | No | Yes |
| HTTP Access Logging | Yes | No | Yes |
| SMB Access Logging | Planned | No | Yes (soon) |
| HTTP Blocklist Lookups | Yes | No | Yes (soon) |
| Free | Yes | Some | Yes |
- Multithreaded processing: Work is ongoing on this, but nothing releasable yet. Bro does have a fully functional cluster deployment model which helps users to scale support on a single box and/or across multiple boxes.
- IPv6 Support: Due to a bug, which hopefully will be addressed by the next release, IPv6 support is unusable in large scale production.
- IP reputation: You could say that Bro has IP reputation, it’s easy to utilize lists of addresses at least. I’m going to be working heavily on an intelligence sources framework for Bro soon too which will be able to consume a wide range of intelligence sources including IP addresses.
- Automated protocol detection: There’s even an academic paper about it [19] if you’d like to find out exactly how it works.
- Global variables/flowbits: Bro support for this sort of thing is far beyond what anything else has inherently because Bro has a complete programming language.
- GeoIP lookups: I added that myself several years ago. Bro supports IPv6 geoip lookups in addition to IPv4 and ASN lookups using another database for libGeoIP.
- Advanced HTTP Parsing: Bro has had it for years.
- HTTP Access Logging: Definitely. My script [20] will be included in the next release too.
- SMB Access Logging: This is something that I’m planning on tackling soon. I don’t know what the level of support for SMB is currently, but there is a parser already.
- HTTP Blocklist lookups: Yes, I consider this similar to the IP reputation and it’s going to be included in the intelligence sources framework. Some usage of URL lists is already included in a script that I distribute separately [21] but which will be in the next release of Bro.
- Free: Bro is under the BSD license, so in my opinion it’s actually more free than Snort or Suricata which are both under the GPL and much more difficult to share code with.
Ref:
http://amoebamach.tistory.com/entry/Snort-vs-Suricata-vs-Bro