From aldeid
Jump to navigation Jump to search
You are here:


Suricata is a multi-threaded Intrusion Detection (IDS) / Prevention (IPS) System developed by the Open Information Security Foundation (OISF).

This post describes the installation and basic/advanced configuration of Suricata.

Many thanks to:

  • Anoop Saldanha from the OISF for his great help on the installation process.
  • Jason Drury (Aldeid Community) for his help on the tests
  • the AlienVault team for their help on the tests


Here are the major features of Suricata:

Multi Threading
Not like other IDS/IPC, Suricata is multi-threaded. Threads have an input queue handler and an output queue handler that are used to get packets from other threads, or from the global packet pool.
Performance Statistics
Performance statistics are gathered by 2 components, enabling to collect indicators such as bytes, packets, flows per second, flow duration and size, stream duration, alerts/sec, ...
Automatic Protocol Detection
Suricata not only supports keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB. This enables to write rules for detecting malware.
Gzip Decompression
The HTP parser is capable of decompressing and decoding Gzip compressed streams.
Independent HTP Library
The parser is available as a library also under GPLv2 for easy integration into other tools (proxies, filters, ...)
Standard Input Methods
Traffic can be captured via standard input methods: NFQueue, IPFRing, LibPcap. IPFW will be soon supported.
Unified2 Output
Suricata generates unified2 outputs that are fully compatible with Barnyard2.
Flow Variables
Suricata offers the possibility to save captured information in a variable that can then be used for future matching.
Fast IP Matching
IP addresses that are referenced in the rules (incl. EmergingThreats rules) are processed by a fast matching preprocessor.
HTTP Log Module
Suricata gives the possibility to generate HTTP traffic in a dedicated log file based on the Apache log files structure.
Graphics Card Acceleration
Suricata plans to exploit Graphical processors (GPU) in future versions.
IP Reputation
The purpose of the IP reputation component is the ranking of IP addresses within the Suricata Engine. It will collect, store, update and distribute reputation intelligence on IP Addresses.
Flowint is a precursor to global variables. It integrates mathematical capabilities to automatically increment a value, compare a variable with a fixed value, ... For more information, please refer to this section.