I'm 80% Juniper down in my shop but also use both Snort and Suricata equally. It all boils down to time because time = money. With Juniper and other commercial products, there are dedicated people working non-stop on the devices. This gives you some level of confidence that signatures are as up-to-date as possible whereas with Snort and Suricata, you're at the mercy of the community and yourself.

We'll start with the community. No big secret about zealotry: Suricata forked from Snort, OpenVAS forked from Nessus and the lineage goes back dozens of years. In the open source realm, there are and have been a lot of cool projects often messed up by individuals themselves. Snort and the IDP/IPS is nothing new. Marcus Ranum had the excellent NFR, Ron Gula had the excellent Dragon. There was Emerald and a bucketload of cool tools that were effective. Ask yourself: "Where are they now?" This is the problem with open source and the likes. Whereas with say a vendor, Juniper, Tipping Point, when you need something, a call or a ticket WILL get you results without the headaches of jumping on IRC or a mailing list.

Let's move on to you (not you per-se but the individual running the IDP/IPS). How good is your packet fu, reversing skills, AV detective skills and so on? Do you think you could create say 1,000 signatures per day to keep up with the threat? Because the big boys (Juniper, Tipping Point, etc.) have the visibility, you can have some form of relief that there are dozens maybe hundreds of people actively working on a collected source of data versus anything you could whip up.

So ask yourself, do you want to spend the money (time) running around on IRC, mailing lists, waiting for community volunteers to make signatures or would you rather have it done for you and save yourself the headache and money (time).

Excellent point Sil.  It also helps when you want to sell a product to management.  Most managers and CFO types will see the cost of say a Juniper or Tipping Point and say

"hey isn't there some free opensource product we can use??"  

And you, being the person who would have to manage that, could say

"well we can, but we will need to hire a person to maintain and monitor this device and we will have to pay that person 75-85K a year plus benefits.  Also if the system breaks we will have to wait for someone on the interwebs to come up with a solution.  Oh yeah and if the device goes down we will not have internet access since it sits between our firewall and internet modem."   "So lets spend the 25-40K for a supported solution and if anything goes wrong we could call the 24/7 support line and open a ticket with a 4 hour or less response."  

As a geek though, well yeah we want to play with the opensource and figure out the inner workings and even get the direct exposure to discover a new threat not seen before.  But then that is for our home labs and not for the business.

Nah @ complaints for Juniper. At least for me there isn't. There may be a slight learning curve, but that's a given for most technologies and applications when they're new. Suricata indeed is kick ass cool however, there are pros and cons which would hinder me from getting a client to agree to deploy it. Imagine having a client in Asia right now and you're telling them you want to deploy Suricata. They'd shoo you out of their office. "part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR)" It's just the way it is.

Back in the daze (not a typo ) EMERALD (http://www.csl.sri.com/projects/emerald/project.html) was the de-facto must have. Around this time, there was also a lot of funny stuff going on where the unofficial (don't ask don't tell) policy/theory was: "man as nice as that is you DON'T WANT to run it on your network." Just saying At the end of the day, I will run what my client wants me to or what I feel works best. For me cost wise, is Juniper "Set it forget it" versus: "Set it up, apt-get build bunch_o_crap or pkg_add will_this_work && ./Bitch -n sil irc.somewhere.net to get help.

Below are some tried and true links with information for EMERALD and similar systems (C-SCIDS), etc.

http://www.ll.mit.edu/mission/communications/CST/darpa.html
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.8506
http://www.sans.org/security-resources/idfaq/eval_ids.php

http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1293248&highlight

From 2009: 80% of Fortune 100, 42% of Global 500 used Snort (can we trust this numbers?). Not a bad number for an open solution. Of course Suricata does not have a percentage like those since it's been only one year since the release of the first stable version, hopefully one day it will be there

If you want to rely on a commercial service to receive rules, you have Emerging Threat Pro and VRT. Appliances? Bivio and NPulse are selling them with implementations of Suricata, just like Sourcefire does with Snort. I understand that companies most of the time would rather to have a big player backing them up. I just don't think that commercial solutions are always better than free ones.

As usual, some great banter! Thanks!

You gave me good ideas sil