What is Suricata

This is the first of a series of blog posts covering what Suricata is, and DOs and DONTs. If you’re new to our engine, this is a great place to get started. Already familiar with Suricata? You may learn of new use cases. Do you want to introduce Suricata to someone? Do share this one!

Written by Peter Manev.

Suricata is a high-performance, open-source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.

Suricata started its road to helping security and blue teams 14 years ago as a native multithreaded Intrusion Detection/Prevention System (IDS/IPS) and since then has been constantly evolving and improving thanks to a generous, active community and past and present consortium members‘ effort.

Currently, Suricata is used by a variety of commercial vendors and open-source projects, from on-prem deployments to cloud providers like AWS and others.

There are 5 main modes of operation and data generation that Suricata does or is used for:

IDS  – Intrusion Detection System (default)

In this mode of operation, Suricata generates security events (alerts) based on the traffic inspection by signatures (rules), IoC matching (ex: hashes/domains/URLs/TLS/SSH fingerprints etc.), and/or Lua scripting. This mode is the least verbose in terms of log volume generation.

IPS – Intrusion Prevention System

This mode of operation is very similar to the above in terms of log volume and traffic inspection. The major difference is that Suricata actively stops (drops) or allows traffic based on the network inspection outcome. In other words, it is not a passive sniffer but rather it is deployed inline.

NSM – Network Security Monitoring System (default)

In this mode of operation, Suricata generates logs for any and all protocols, file transactions, file extraction, anomaly and flow logs without any matching or inspection. It does not need signatures to operate. This mode is the most verbose in terms of log volume.

FPC – Full packet Capture

In this mode of operation, Suricata generates unconditional full packet capture of the traffic it inspects. This mode naturally requires a lot of storage.

Conditional PCAP capture

This mode of operation is a subset of the FPC described above that generates deduplicated full session/flow pcap capture for any alert. In other words: all alerts are accompanied by a full session pcap of the flow that triggered the alert.

FW – Firewall

In this mode of operation, Suricata is used as a firewall. There are some community members that actively use Suricata as a firewall in the cloud, for example, AWS.

Which mode should you run?

Depends on what your needs and requirements are. 

The most common mode is the default: A combination of IDS plus NSM. This ensures alerts are accompanied by any and all protocol, flow, file transaction/file extraction, anomaly, and flow logs – so you have all the information needed to make a fast/informed decision, gather visibility, or gauge the health of your network.

If you are unsure, you are mostly welcome to consult our documentation https://docs.suricata.io/en/latest/, join our forum at https://forum.suricata.io or chat with us in our Suricata Discord server discord.gg/t3rV2x7MrG. There you can get feedback and also chat live with many experienced members of our community.