Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule processing and other how they work is there any real difference that should sway me to pick one of the other?
The main difference is that Suricata uses GPU in IPS mode. It has more advanced IPS mode in general, includes multitasking, and as result you get high performance allowing to process up to 10Gbe traffic on a regular hardware. And it fully supports Snort rules. You can learn more about Suricata features here: https://suricata-ids.org/features/all-features/
I have tried to run both systems on a single core embedded system (IOT gateway) and they are doing quite same things. One major difference is that out-of-box Suricata required lots more CPU resources than SNORT to process same amount of traffic.