Complete list of Suricata Features
- Network Intrusion Detection System (NIDS) engine
- Network Intrusion Prevention System (NIPS) engine
- Network Security Monitoring (NSM) engine
- Off line analysis of PCAP files
- Traffic recording using pcap logger
- Unix socket mode for automated PCAP file processing
- Advanced integration with Linux Netfilter firewalling
- Linux
- FreeBSD
- OpenBSD
- macOS / Mac OS X
- Windows
- YAML config file — human and machine readable
- well commented and documented
- support for including other files
- Scalable flow engine
- Full IPv6 support
- Tunnel decoding
- Teredo
- IP-IP
- IP6-IP4
- IP4-IP6
- GRE
- VXLAN
- Geneve
- TCP stream engine
- tracking sessions
- stream reassembly
- target based stream reassembly
- IP Defrag engine
- Support for packet decoding of
- IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
- Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN, Geneve
- App layer decoding of:
- HTTP, HTTP/2, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP, RFB, MQTT
- New protocols developed in the Rust language, for safe and fast decoding.
- Stateful HTTP parser built on libhtp
- HTTP transaction logger
- File identification, extraction and logging
- Per server settings — limits, personality, etc
- Keywords to match on (normalized) buffers:
- uri and raw uri
- headers and raw headers
- cookie
- user-agent
- request body and response body
- method, status and status code
- host
- request and response lines
- decompress flash files
- and many more
- Protocol keywords
- Multi-tenancy per vlan or capture device
- xbits – flowbits extension
- PCRE support
- substring capture for logging in EVE
- fast_pattern and prefilter support
- Rule profiling
- File matching
- file magic
- file size
- file name and extension
- file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
- multiple pattern matcher algorithms that can be selected
- extensive tuning options
- live rule reloads — use new rules w/o restarting Suricata
- delayed rules initialization
- Lua scripting for custom detection logic
- Hyperscan integration
- JA3/JA3S/HASSH matching
- Eve log, all JSON alert and event output
- Lua output scripts for generating your own output formats
- Redis support
- HTTP request logging
- TLS handshake logging
- Unified2 output — compatible with Barnyard2
- Alert fast log
- Alert debug log — for rule writers
- Traffic recording using pcap logger
- Prelude support
- syslog — alert to syslog
- stats — engine stats at fixed intervals
- File logging including MD5 checksum in JSON format
- Extracted file storing to disk, with deduplication in the v2 format
- DNS request/reply logger, including TXT data
- Signal based Log rotation
- Flow logging
- JA3/JA3S/HASSH logging
- per rule alert filtering and thresholding
- global alert filtering and thresholding
- per host/subnet thresholding and rate limiting settings
- High performance capture
-
- AF_PACKET
- experimental eBPF and XDP modes available
- PF_RING
- NETMAP
- Standard capture
- PCAP
- NFLOG (netfilter integration)
- IPS mode
- Netfilter based on Linux (nfqueue)
- ipfw based on FreeBSD and NetBSD
- AF_PACKET based on Linux
- NETMAP
- Capture cards and specialized devices
- fully configurable threading — from single thread to dozens of threads
- precooked “runmodes”
- optional CPU affinity settings
- Use of fine grained locking and atomic operations for optimal performance
- Optional lock profiling
- loading of large amounts host based reputation data
- matching on reputation data in the rule language using the “iprep” keyword
- live reload support
- supports CIDR ranges
- match large amounts of IOCs against DNS, URI, and many more fields
- can be updated over unix socket
- hooks into any rule with ‘sticky buffers’
- Suricata-Update for easy rule update management
- Suricata-Verify for QA during development