Assessing the Effectiveness of Open-Source Network Intrusion Detection Systems for Small-to-Medium-Sized Enterprises

Network security is a critical concern for small and medium-sized enterprises (SMEs), often lacking resources for comprehensive solutions. This study evaluates three open-source network intrusion detection systems (NIDS): Snort, Suricata, and Zeek, to assess their suitability for SMEs. Using a controlled, virtualized environment, we simulated realistic SME network conditions and subjected each NIDS to tests measuring their ability to handle high traffic volumes and various attack types, including DoS, malware, ransomware, and phishing. Results showed that Suricata consistently outperformed the others in scalability, resource efficiency, and detection accuracy, achieving high true positive rates while minimizing false positives, which is essential for reducing alert fatigue among SME users. Snort 3, optimized with afpacket and hyperscan, also demonstrated strong capabilities but required more resources, while Snort 2 struggled with high-volume traffic. Although Zeek is lightweight, it was less effective in signature-based detection but excelled in monitoring anomalies. This study provides insights to guide SMEs in selecting appropriate NIDS based on their specific requirements and emphasizes the need for ongoing optimization and further research in physical environments.