Complete list of Suricata Features

  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing
  • Advanced integration with Linux Netfilter firewalling

  • Linux
  • FreeBSD
  • OpenBSD
  • macOS / Mac OS X
  • Windows

  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files

  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
    • VXLAN
    • Geneve
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly

  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN, Geneve
  • App layer decoding of:
    • HTTP, HTTP/2, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP, RFB, MQTT
    • New protocols developed in the Rust language, for safe and fast decoding.

  • Stateful HTTP parser built on libhtp
  • HTTP transaction logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
    • decompress flash files
    • and many more

  • Protocol keywords
  • Multi-tenancy per vlan or capture device
  • xbits – flowbits extension
  • PCRE support
    • substring capture for logging in EVE
  • fast_pattern and prefilter support
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting for custom detection logic
  • Hyperscan integration
  • JA3/JA3S/HASSH matching

  • Eve log, all JSON alert and event output
  • Lua output scripts for generating your own output formats
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk, with deduplication in the v2 format
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging
  • JA3/JA3S/HASSH logging

  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings

  • High performance capture
    • AF_PACKET
      • experimental eBPF and XDP modes available
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera

  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling

  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges

  • match large amounts of IOCs against DNS, URI, and many more fields
  • can be updated over unix socket
  • hooks into any rule with ‘sticky buffers’

  • Suricata-Update for easy rule update management
  • Suricata-Verify for QA during development