Close icon
Tutorial

Suricata vs CrowdSec

The answer is: Both! Suricata and CrowdSec are two very different tools that supplement each other well so the ideal choice would be to use the power of CrowdSec to share Suricata alerts with other CrowdSec + Suricata users combining the best properties of both tools.

The community often asks me whether they should keep their IDS, say Suricata, installed or if they should install CrowdSec. For reasons I’ll explain shortly it’s a misunderstanding to feel that you need to choose between those two. I do understand the question, though.

Let me elaborate on the confusion and the abbreviations: As you may or may not know, over time we have tried to categorize our project into well-known categories in the security space. We’ve called it EDR, IDS, IPS and compared ourselves to other well-known FOSS projects like Fail2Ban. If you know tools in those categories well, it may not make sense in all cases but to us it did; in terms of marketing it’s usually a good idea to create feelings of familiarity towards potential users so although that CrowdSec in many ways is unlike anything else, it does makes sense to call our project an IDS/IPS.

These abbreviations literally mean ‘Intrusion Detection System’ and ‘Intrusion Prevention System’ as the CrowdSec agent literally detects attacks from logs and mitigates those attacks using a variety of so-called bouncers. The aforementioned misunderstanding originates from history and tradition.

Looking back at FOSS IDS and IPS history traditionally there’s three big players: Snort and Zeek which coincidentally both surfaced in 1998 and Suricata which formally joined the party in 2010 when the first version was released. All of these look at network traffic and seek to identify malicious or faulty network packages. 

CrowdSec, on the other hand, is completely different as it doesn’t look at network traffic at all but simply reads logs. Those logs can come from a number of different sources such as files present on your device, syslogd traffic received over the network, Docker logs, Journald, AWS Logtrail/Kinesis or, on Windows, Windows Event log. For now that’s it.

So going back to the question I’ve answered so many times when users have asked me it’s a bit like comparing apples and oranges. Both are great but since they don’t taste or feel the same you sometimes prefer an apple over an orange (or vice versa). In terms of CrowdSec vs Snort/Zeek/Suricata they are all great IDS/IPS systems but since they don’t look at the same data there’s no way they can yield the same results and detect and mitigate the same threats. As a side note the same is even true for those three systems when comparing them; they may all look at the same data but they do so very differently so by nature they yield different results and detect different attacks. 

So the most correct answer is that neither are best. Instead they supplement each other well. And as a brand new thing they also integrate. CrowdSec just released a collection for Suricata meaning that CrowdSec will parse the log of Suricata (regardless of format), detect high and medium alerts, mitigate any threats from those ips and share them with other CrowdSec users - in effective making Suricata capable of dealing with ip reputation and collaborative security - for the good of the entire CrowdSec - and Suricata communities (given that the latter adopts CrowdSec).

If you’re using Snort or Zeek it’s trivial to do the same. Either write parsers or scenarios yourself or upload log samples containing examples of attacks you want to mitigate in an issue via our GitHub.

Have fun with CrowdSec and your brand new turbo charged IDS/IPS :-) 

Glossary

FOSS

Free and Open-Source Software

IDS

Intrusion Detection Software

IPS

Intrusion Prevention Software

AWS

Amazon Web Services

EDR

Endpoint Detection and Response

XDR

Extended Detection and Response. An important buzzword in this area of tools.

Parser

A simple text file (in YAML and GROK) used by CrowdSec to parse a log file and make it understand the data. Technical description is available here.

Scenario

A simple text file (usually only in YAML) describing the situation (typically an attack) we’re looking for. For example a brute force attack where the scenario file describes how many attacks in which timespan is allowed before triggered and a decision is triggered (typically followed by a ban). Technical description is available here.

YAML

Yet Another Markup Language. A common format for e.g. configuration files. All CrowdSec configuration files are written in YAML.

GROK

A ‘programming language’ made for parsing log format. Made popular primarily by Elastic (originally for use with Logstash). Later it has become the de facto language for log parsing.