|You are here:|
Suricata is a multi-threaded Intrusion Detection (IDS) / Prevention (IPS) System developed by the Open Information Security Foundation (OISF).
This post describes the installation and basic/advanced configuration of Suricata.
Many thanks to:
- Anoop Saldanha from the OISF for his great help on the installation process.
- Jason Drury (Aldeid Community) for his help on the tests
- the AlienVault team for their help on the tests
Here are the major features of Suricata:
- Multi Threading
- Not like other IDS/IPC, Suricata is multi-threaded. Threads have an input queue handler and an output queue handler that are used to get packets from other threads, or from the global packet pool.
- Performance Statistics
- Performance statistics are gathered by 2 components, enabling to collect indicators such as bytes, packets, flows per second, flow duration and size, stream duration, alerts/sec, ...
- Automatic Protocol Detection
- Suricata not only supports keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB. This enables to write rules for detecting malware.
- Gzip Decompression
- The HTP parser is capable of decompressing and decoding Gzip compressed streams.
- Independent HTP Library
- The parser is available as a library also under GPLv2 for easy integration into other tools (proxies, filters, ...)
- Standard Input Methods
- Traffic can be captured via standard input methods: NFQueue, IPFRing, LibPcap. IPFW will be soon supported.
- Unified2 Output
- Suricata generates unified2 outputs that are fully compatible with Barnyard2.
- Flow Variables
- Suricata offers the possibility to save captured information in a variable that can then be used for future matching.
- Fast IP Matching
- IP addresses that are referenced in the rules (incl. EmergingThreats rules) are processed by a fast matching preprocessor.
- HTTP Log Module
- Suricata gives the possibility to generate HTTP traffic in a dedicated log file based on the Apache log files structure.
- Graphics Card Acceleration
- Suricata plans to exploit Graphical processors (GPU) in future versions.
- IP Reputation
- The purpose of the IP reputation component is the ranking of IP addresses within the Suricata Engine. It will collect, store, update and distribute reputation intelligence on IP Addresses.
- Flowint is a precursor to global variables. It integrates mathematical capabilities to automatically increment a value, compare a variable with a fixed value, ... For more information, please refer to this section.