For years, Snort (developed and maintained by SourceFire) has been the de facto standard for open source Intrusion Detection/Prevention Systems (IDS/IPS). Its engine combines the benefits of signatures, protocols, and anomaly-based inspection and has become the most widely deployed IDS/IPS in the world.

Suricata, a new and less widespread product developed by the Open Information Security Foundation (OISF), has recently appeared, and seems really promising. It is also based on signatures but integrates revolutionary techniques. This engine embeds a HTTP normalizer and parser (HTP library) that provides very advanced processing of HTTP streams, enabling the understanding of traffic on the 7th level of the OSI model.

This document describes the features of Suricata in details, explains how to install it through different approaches, the compilation options, how to configure it and how to use it for the detection and the prevention modes.

See tests results.

Table of content

• Introduction
  • Description
  • Features
• Installation & basic configuration
  • Installation
    • Installation from git (recommended)
    • Installation from tar.gz
    • Advanced installation & Inline capabilities
    • Alternate installation of Suricata
  • Basic configuration
• Setting up rules
  • EmergingThreats
  • VRT rules
  • Manually creating rules
  • Rules Managers (Pulledpork & Oinkmaster)
• Advanced configuration
  • suricata.yaml
  • classification.config
  • reference.config
  • threshold.config
• Usage
  • From CLI: Syntax & options
  • Frontends

External resources

• https://redmine.openinfosecfoundation.org/projects/suricata/wiki

Comments

Talk:Suricata