Latest Release

Suricata (Stable) version is 6.0.3; released June 30th, 2021

Linux/Mac/FreeBSD/UNIX/Windows Source: suricata-6.0.3.tar.gz
PGP Signature: suricata-6.0.3.tar.gz.sig
Windows 64-bit installer: Suricata-6.0.1-2-64bit.msi
Ubuntu PPA channel for Suricata 6

 

Powerful, Flexible, and Open

The industry’s most powerful open source cybersecurity solution, at your service.

What started as an effective and flexible intrusion detection and prevention tool (IDS/IPS) has grown to add important protocol detection and Network Security Monitoring (NSM) capabilities.

With constant updates from our dedicated community, Suricata keeps pace with the needs of users, the sophistication of adversaries and the speed of today’s networks. Suricata combines a complete signature language to match unknown threats, policy violations and malicious behavior with the ability to also detect anomalies in the multi-gigabit traffic it inspects.

NSM: More than an IDS

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

TLS/SSL Logging and Analysis: Not only can you match against most aspects of an SSL/TLS exchange within the ruleset laguage thanks to Suricata’s TLS Parser, you can also log all key exchanges for analysis. Great way to make sure your network is not the victim of a less than reputable certificate authority.

HTTP Logging: Why add more hardware into your network just to log http activity when your IDS already sees it? Suricata will log all HTTP connections on any port to file for later analysis.

DNS Logging: Suricata will log all DNS queries and responses.

For complete information and logging formats available click here.

IDS / IPS

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

High Performance

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Automatic Protocol Detection

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

Lua Scripting

Advanced analysis and functionality available to detect things not possible within the ruleset syntax.

Industry Standard Outputs

Our main logging output is called “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.

Scirius CE hunt mode, correlation showing a request with executable file in response.

Splunk Enterprise – there is a free Suricata app in the Splunk store made by Eric Leblond at Stamus Networks

Suricata’s Flow ID in action in EveBox, correlating alerts, anomaly events, & protocol data/NSM

Alert and protocol/NSM data

Application Layer Anomaly in Kibana

File ID/Transactions in Kibana

Complete List of Suricata Features

  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing
  • Advanced integration with Linux Netfilter firewalling

  • Linux
  • FreeBSD
  • OpenBSD
  • macOS / Mac OS X
  • Windows

  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files

  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
    • VXLAN
    • Geneve
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly

  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN, Geneve
  • App layer decoding of:
    • HTTP, HTTP/2, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP, RFB, MQTT
    • New protocols developed in the Rust language, for safe and fast decoding.

  • Stateful HTTP parser built on libhtp
  • HTTP transaction logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
    • decompress flash files
    • and many more

  • Protocol keywords
  • Multi-tenancy per vlan or capture device
  • xbits – flowbits extension
  • PCRE support
    • substring capture for logging in EVE
  • fast_pattern and prefilter support
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting for custom detection logic
  • Hyperscan integration
  • JA3/JA3S/HASSH matching

  • Eve log, all JSON alert and event output
  • Lua output scripts for generating your own output formats
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk, with deduplication in the v2 format
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging
  • JA3/JA3S/HASSH logging

  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings

  • High performance capture
    • AF_PACKET
      • experimental eBPF and XDP modes available
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech

  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling

  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges

  • match large amounts of IOCs against DNS, URI, and many more fields
  • can be updated over unix socket
  • hooks into any rule with ‘sticky buffers’

  • Suricata-Update for easy rule update management
  • Suricata-Verify for QA during development