Introduction
Suricata is a high-performance, open-source network intrusion detection and prevention system (IDS/IPS) that excels at real-time traffic analysis and threat detection. With support for multi-threading, hardware acceleration, and extensive rule sets, Suricata provides enterprise-grade security monitoring capabilities.
This comprehensive guide covers Suricata deployment, configuration, rule writing, performance optimization, and integration with security operations. Whether you’re building a new detection capability or migrating from other IDS solutions, Suricata offers the flexibility and performance required for modern network security.
Understanding Suricata
What Is Suricata?
Suricata is an open-source IDS/IPS that:
- Analyzes network traffic in real-time
- Detects threats using signature and anomaly-based detection
- Generates alerts and log events
- Can operate inline as an IPS (blocking traffic)
- Supports multiple deployment modes
Key Features
| Feature | Description |
|---|---|
| Multi-threaded | Uses all CPU cores efficiently |
| Protocol Parsing | Understands 50+ protocols |
| Lua Scripting | Custom detection logic |
| File Extraction | Carves files from traffic |
| TLS Certificates | Logging and inspection |
| App Layer | Deep protocol inspection |
Suricata vs Snort
Comparing major open-source IDS options:
| Aspect | Suricata | Snort |
|---|---|---|
| Multi-threading | Native | Limited |
| Performance | Excellent | Good |
| Lua scripting | Yes | No |
| File extraction | Built-in | Plugin |
| Community rules | Emerging | Mature |
Installation
Ubuntu/Debian Installation
# Add Suricata repository
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
# Install Suricata
sudo apt-get update
sudo apt-get install suricata
# Verify installation
suricata --version
CentOS/RHEL Installation
# Add EPEL repository
sudo yum install epel-release
# Install Suricata
sudo yum install suricata
# Enable service
sudo systemctl enable suricata
From Source
# Install dependencies
sudo apt-get install build-essential autoconf automake libtool libpcre3-dev libyaml-dev libnet1-dev libnetfilter-queue-dev libcap-ng-dev libmagic-dev libhiredis-dev
# Download source
wget https://www.openinfosecfoundation.org/download/suricata-7.0.8.tar.gz
tar -xzf suricata-7.0.8.tar.gz
cd suricata-7.0.8
# Configure
./configure --prefix=/usr/local --sysconfdir=/etc --localstatedir=/var
# Build and install
make -j$(nproc)
sudo make install
sudo make install-conf
sudo make install-rules
Configuration
Basic Configuration
# Main configuration file
sudo vi /etc/suricata/suricata.yaml
# Set HOME_NET
- vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
port-groups:
HTTP_PORTS: "80,443,8080"
Capture Configuration
# Configure capture method
# /etc/suricata/suricata.yaml
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
stream:
memcap: 256mb
max-sessions: 262144
prealloc-sessions: 32768
# PF_RING for high-speed capture
pf-ring:
interface: eth0
cluster-id: 99
cluster-type: cluster_flow
Logging Configuration
# Configure outputs
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
- http
- dns
- tls
- ssh
- stats:
enabled: yes
filename: stats.log
interval: 8
Rule Configuration
# Specify rule files
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- custom.rules
- et-pro.rules
# Classification
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
Rules and Signatures
Rule Structure
Suricata rules follow this format:
action protocol src_ip src_port direction dst_ip dst_port (options)
Example rules:
# Alert on any HTTP traffic to port 80
alert tcp any any -> any 80 (msg:"HTTP Traffic Detected"; classtype:web-application-attack; sid:1000001; rev:1;)
# Detect SSH connection
alert tcp any any -> any 22 (msg:"SSH Connection"; flow:established,to_server; sid:1000002; rev:1;)
# Detect DNS query to malicious domain
alert dns $HOME_NET any -> any any (msg:"Malicious DNS Query"; dns.query; content:"evil.com"; nocase; sid:1000003; rev:1;)
Action Types
| Action | Description |
|---|---|
| alert | Generate alert and log |
| pass | Allow and skip further processing |
| drop | Block (IPS mode) and alert |
| reject | Send RST and alert |
| rejectsrc | Reject source |
| rejectdst | Reject destination |
| rejectboth | Reject both |
Protocol Detection
Specify protocols for targeted detection:
# HTTP
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SQL Injection Attempt"; content:"' OR '1'='1"; classtype:web-application-attack; sid:1000100; rev:1;)
# DNS
alert dns any any -> any any (msg:"DNS Query to Known Malware"; dns.query; content:"badsite.com"; nocase; sid:1000101; rev:1;)
# TLS
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Invalid TLS Certificate"; tls.store; content:"MII"; sid:1000102; rev:1;)
Content Matching
# Basic content match
content:"evil";
# Case insensitive
content:"password"; nocase;
# Negation
content:!"admin";
# Binary content
content:"|90 90 90|";
# Multiple contents (AND)
content:"GET"; content:"/admin"; distance:0;
# Within range
content:"password"; within:20;
PCRE (Regular Expressions)
# PCRE usage
pcre:"/filename=.*\.exe/i";
# Complex patterns
pcre:"/User-Agent:.*(curl|wget)/i";
Flow and Stream Options
Control rule matching based on connection state:
# Match established connections
flow:established,to_server;
flow:established,to_client;
# Match only to client
flow:to_client;
# Stream matching
stream.reassembly:established;
stream.reassembly:to_client;
Detection Categories
Suricata rules are categorized:
# Classification types
classification:Attempted Information Leak; classification:16; priority:2;
classification:Attempted Admin Privilege Gain; classification:1; priority:1;
classification:Attempted User Privilege Gain; classification:3; priority:1;
classification:Successful Administrator Privilege Gain; classification:2; priority:1;
Custom Rules Examples
# Detect port scanning
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Port Scan Detected"; flags:S,12; threshold:type limit,track by_src,count 50,seconds 10; sid:1000200; rev:1;)
# Detect brute force SSH
alert ssh $HOME_NET any -> $EXTERNAL_NET any (msg:"SSH Brute Force"; flow:established,to_server; ssh.failed_auth; threshold:type threshold,track by_src,count 5,seconds 60; sid:1000201; rev:1;)
# Detect data exfiltration
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Data Exfiltration"; flow:established,to_server; dsize:>100000; sid:1000202; rev:1;)
Deployment Modes
IDS Mode (Passive)
Passive monitoring without blocking:
# Run in IDS mode (default)
suricata -c /etc/suricata/suricata.yaml -i eth0
# Verify mode
# Check outputs/alerts
tail -f /var/log/suricata/fast.log
IPS Mode (Inline)
Inline blocking of threats:
# Configure NFQUEUE
af-packet:
- interface: eth0
# For IPS mode
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth1
# Or use NFQUEUE
suricata -c /etc/suricata/suricata.yaml -q 0
Configure iptables for NFQUEUE:
# Route traffic through Suricata
iptables -I FORWARD -j NFQUEUE
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
Hybrid Deployment
Combine IDS and IPS:
# Multiple interfaces
af-packet:
- interface: eth0
cluster-id: 99
- interface: eth1
cluster-id: 99
Performance Tuning
Multi-Threading Configuration
# Threading configuration
threading:
set-cpu-affinity: yes
cpu-mask: "0-3"
detect-thread-ratio: 1.5
# Worker threads
af-packet:
- interface: eth0
threads: 4
cluster-type: cluster_flow
Memory Management
# Stream reassembly
stream:
memcap: 512mb
max-sessions: 1000000
prealloc-sessions: 100000
# App layer
app-layer:
protocols:
http:
enabled: yes
stream-depth: 4mb
Throughput Optimization
# Hardware offloading
ethtool -K eth0 gro off gso off tso off
# Increase ring buffers
ethtool -G eth0 rx 4096 tx 4096
# Large MTU
ifconfig eth0 mtu 9000
Profile and Benchmark
# Profile Suricata
suricata --list-runmodes
# Run with profiling
suricata -c suricata.yaml -i eth0 --profile-output=profile.txt
# Benchmark
suricatactl --simulate-ips
Integration
SIEM Integration
Send alerts to SIEM platforms:
# EVE JSON to syslog
outputs:
- eve-log:
enabled: yes
filetype: syslog
syslog:
facility: local0
format: '[{{ "timestamp": "@timestamp", "event_type": "{{event_type}}", "src_ip": "{{src_ip}}", "dest_ip": "{{dest_ip}}", "alert": "{{alert}}"} }]'
Elastic Stack Integration
# Filebeat configuration
filebeat.inputs:
- type: log
paths:
- /var/log/suricata/eve.json
json.keys_under_root: true
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
# Logstash configuration
input {
beats {
port => 5044
}
}
filter {
if [event_type] == "alert" {
mutate {
add_field => { "index_name" => "suricata-alerts" }
}
}
}
Logstash and Kibana
Create Kibana dashboards:
# Import Suricata dashboards
# Available from:
# https://github.com/jasonish/suricata-dashboard
Integration with Zeek
Combine Suricata with Zeek:
# Run both sensors
# Suricata: signature-based detection
# Zeek: behavioral analysis and logging
# Correlate alerts
# Common field: src_ip, dest_ip, timestamp
Eve.json Deep Dive
Understanding EVE Format
EVE JSON provides structured logging:
{
"timestamp": "2026-03-10T10:30:00.123456Z",
"event_type": "alert",
"src_ip": "192.168.1.100",
"src_port": 45678,
"dest_ip": "10.0.0.5",
"dest_port": 80,
"alert": {
"signature": "SQL Injection Attempt",
"category": "Attempted Administrator Privilege Gain",
"severity": 1,
"signature_id": 1000100
},
"http": {
"hostname": "example.com",
"url": "/admin/login.php",
"method": "GET"
}
}
Query Examples
# Extract alerts
jq 'select(.event_type == "alert")' eve.json
# Count by signature
jq -r '.alert.signature' eve.json | sort | uniq -c | sort -rn
# Filter by source IP
jq 'select(.src_ip == "192.168.1.100")' eve.json
# HTTP traffic analysis
jq 'select(.event_type == "http")' eve.json | jq '.http.url'
Tuning and Optimization
Reducing False Positives
# Create suppresspressions
suppress:
gen_id: 1, sig_id: 1000001, track: by_src, ip: 192.168.1.50
# Whitelist networks
allow-zeros: "10.0.0.0/8"
Threshold Configuration
# Rate limiting
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Rate Limited Request"; \
http.method; content:"GET"; \
threshold: type limit,track by_src,count 100,seconds 10; \
sid:1000300; rev:1;)
Performance Monitoring
# View stats
suricatactl stats
# Enable stats in config
outputs:
- stats:
enabled: yes
filename: stats.log
interval: 8
Troubleshooting
Common Issues
# No alerts
# Check: rules loaded, traffic reaching sensor, interface up
# High memory usage
# Fix: reduce memcap, increase threads
# Packet loss
# Fix: tune buffers, use PF_RING, disable offloading
Debug Mode
# Run single threaded
suricata -c /etc/suricata/suricata.yaml -i eth0 --single
# Verbose output
suricata -c /etc/suricata/suricata.yaml -i eth0 -v -vv
# Check config
suricata -c /etc/suricata/suricata.yaml --list-keywords
Rule Testing
# Test rules
suricata -c /etc/suricata/suricata.yaml -r test.pcap -l /tmp/
# Validate rules
suricata --rule-index /etc/suricata/rules/*.rules
Best Practices
Rule Management
# Keep rules updated
sudo suricata-update
# Enable ET Open rules
sudo suricata-update --enable-source et/open
# Enable Snort rules (register required)
sudo suricata-update --enable-source snort/vrt
Operational Procedures
# Monitor performance
watch -n 5 'suricatactl stats'
# Log rotation
# Configure in suricata.yaml
-eve-log:
filename: eve.json
rotate: yes
rotation-size: 100mb
Alert Response
# Alert response workflow
# 1. Identify alert in fast.log or EVE
# 2. Analyze full payload in EVE JSON
# 3. Extract PCAP if available
# 4. Determine if true/false positive
# 5. Tune rules or investigate further
External Resources
- Suricata Official Documentation - Complete reference
- Suricata Rules - Open ruleset
- Suricata Blog - Updates and tutorials
- OISF - Open Information Security Foundation
- Emerging Threats - Community rules
Conclusion
Suricata provides powerful network intrusion detection and prevention capabilities suitable for organizations of all sizes. Master rule writing, performance tuning, and integration techniques to build effective security monitoring that protects against modern threats. Combined with complementary tools like Zeek and NetworkMiner, Suricata forms the foundation of comprehensive network defense.
Comments