suricata.ximg.app

What is Suricata

Suricata is a high-performance, open-source network threat detection engine developed by the Open Information Security Foundation (OISF). It operates as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), or Network Security Monitoring (NSM) platform.

It inspects network traffic in real time — parsing dozens of application-layer protocols, matching signatures, running Lua scripts, and writing rich EVE JSON logs — all without dropping packets at multi-gigabit speeds using multi-threaded workers.

Modes of Operation

IDS (Intrusion Detection)

Passive mode. Reads a copy of traffic via SPAN port or tap. Generates alerts; does not block. Zero risk to production traffic. Use --af-packet or pcap input.

IPS (Intrusion Prevention)

Inline mode via Linux NFQ or AF_PACKET. Actively drops or rejects packets matching rules. Requires kernel netfilter integration with NFQUEUE or a network bridge.

NSM (Network Security Monitoring)

Full metadata logging: DNS queries, HTTP transactions, TLS certificates, file extraction, flow records. Invaluable for forensic investigation even without signature hits.

Offline PCAP Analysis

Feed any .pcap file for post-incident analysis. Suricata parses it and generates the same EVE JSON output as live capture.

Architecture

Packet Capture

AF_PACKET (Linux), DPDK, PF_RING, PCAP, NFQ. Multi-threaded capture workers bind to individual CPU cores.

Stream Reassembly

TCP session tracking and stream reassembly into ordered byte streams before application-layer parsing begins.

App-Layer Parsers

Protocol decoders for HTTP/2, TLS, DNS, FTP, SMB, SMTP, SSH, DCERPC, NFS, and 20+ others — all built-in.

Detection Engine

Multi-pattern matching (Aho-Corasick / hyperscan) over signatures. Lua scripting for custom logic. Threshold and suppress controls.

File Extraction

Extract files from HTTP, SMTP, FTP, SMB. Hash with MD5/SHA1/SHA256, submit to YARA or external threat intel.

Outputs

EVE JSON (unified log), fast.log (alerts), pcap recording, Syslog, Unix socket, Redis, Kafka. All configurable per event type.

Rule Structure

# action proto src_ip src_port direction dst_ip dst_port (options) alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"ET MALWARE Suspicious User-Agent"; flow:established,to_server; http.user_agent; content:"MalBot/1.0"; sid:9000001; rev:1; ) drop tcp any any -> $HOME_NET 22 ( msg:"Block SSH brute force"; flow:to_server,established; threshold:type both,track by_src,count 5,seconds 60; sid:9000002; rev:1; ) pass dns $DNS_SERVERS any <> any 53 ( msg:"Allow trusted DNS"; sid:9000003; rev:1; )

Actions

alert

Generate an alert and log the packet. Default for IDS. Does not affect traffic flow.

drop

Drop the packet (IPS inline mode only). No RST is sent; connection silently fails from the perspective of the sender.

reject

Drop packet and send TCP RST (client) or ICMP unreachable (UDP). Actively terminates the connection.

pass

Stop evaluating rules for this packet. Useful for whitelisting trusted sources before a broad deny rule.

rejectsrc / rejectdst

Send RST/ICMP only to the source or destination respectively. Fine-grained inline rejection.

rejectboth

Send RST/ICMP to both endpoints simultaneously.

Protocols

tcp / udp / icmp

Transport layer matching. any matches all three.

http / http2

Application-layer HTTP(S) after TLS decryption. Enables http.* sticky buffers.

tls / ssl

TLS handshake metadata: SNI, JA3/JA3S fingerprints, certificate fields.

dns

DNS queries and responses. Match on query type, name, RRTYPE, answer data.

smtp / ftp / ssh

Application parsers for email, file transfer, and secure shell sessions.

smb / nfs / dcerpc

Windows file sharing and RPC. Detect lateral movement, ransomware activity.

Variables (suricata.yaml)

$HOME_NET

Your internal network ranges. Default: RFC1918 space. Override in vars section.

$EXTERNAL_NET

Everything that is not $HOME_NET. Usually !$HOME_NET.

$HTTP_SERVERS

Addresses of your web servers. Enables server-side HTTP rule targeting.

$SQL_SERVERS

Database server addresses for SQL injection and exfil detection rules.

$DNS_SERVERS

Trusted DNS resolvers. Used in pass rules to exempt legitimate traffic.

$SMTP_SERVERS

Mail server addresses for phishing and malware delivery detection.

Common Rule Options

msg:"text"

Human-readable alert message. Required in every rule.

sid:NNNNNN

Unique rule signature ID. Required. Range 1–9999999 reserved; use 9000000+ for local rules.

rev:N

Rule revision number. Increment on every change to track versions.

classtype:type

Alert classification (e.g. trojan-activity, policy-violation, web-application-attack).

priority:1-255

Alert priority. 1=highest. Overrides classtype default. Shown in EVE JSON as alert.severity.

metadata:k v, ...

Arbitrary key-value tags for rule management. Used by rule sets for affected-product, attack-target, etc.

reference:url,...

Link to CVE, threat intel, or documentation for the detected pattern.

noalert

Suppress alert generation. Used with filestore or flowbits to log/extract without alerting.

Content Matching

content

content:"GET"; content:"|0d 0a|";

Match literal bytes or hex sequences. The primary payload matching keyword. Case-sensitive by default.

nocase

content:"evil"; nocase;

Make the preceding content match case-insensitively.

pcre

pcre:"/evil[0-9]+/i";

Perl-Compatible Regular Expression. Flexible but slower than content. Use content first to anchor.

offset / depth

offset:0; depth:10;

offset: start searching at byte N. depth: only search within first N bytes from start.

distance / within

distance:1; within:20;

Relative to previous match. distance: skip N bytes after last match. within: must match within N bytes.

rawbytes

rawbytes;

Match against raw un-normalized bytes, bypassing any protocol normalization applied by app-layer parsers.

Sticky Buffers (HTTP)

http.uri

http.uri; content:"/shell";

Normalized request URI (decoded, no query string). Most common web attack keyword.

http.uri.raw

http.uri.raw; content:"%2e%2e";

Raw, percent-encoded URI. Catches encoding evasion that normalization would miss.

http.method

http.method; content:"PUT";

Match on HTTP request method (GET, POST, PUT, DELETE, PROPFIND, etc.).

http.user_agent

http.user_agent; content:"curl";

Match the User-Agent header value. Common for detecting scanners and malware beacons.

http.host

http.host; content:"evil.io";

The HTTP Host header. Detect C2 domain communication and phishing redirectors.

http.request_body

http.request_body; content:"passwd";

POST/PUT body content. Match data exfil or credential harvesting payloads.

http.response_body

http.response_body; content:"<iframe";

Server response body. Detect drive-by download injection, web skimming, etc.

http.stat_code

http.stat_code; content:"200";

HTTP status code from response. Match on 200, 401, 403, 500, etc.

Flow & State

flow

flow:established,to_server;

Match on flow direction and TCP state. Keywords: established, to_client, to_server, not_established.

flowbits

flowbits:set,malware.stage1;

Set, check, or clear boolean flags on a flow. Chain rules across multiple packets or stages.

flowint

flowint:req.count,+,1;

Integer counters per flow. Useful for counting failed logins, requests per minute, etc.

threshold

threshold:type limit,track by_src,count 5,seconds 60;

Rate-limit alert generation or trigger only after N occurrences. Types: limit, both, threshold.

detection_filter

detection_filter:track by_src,count 10,seconds 30;

Suppress match until threshold is reached. Unlike threshold, is part of the detection phase, not output.

flags

flags:S; flags:PA+;

Match specific TCP flags. S=SYN, A=ACK, P=PUSH, F=FIN, R=RST. Useful for detecting SYN floods.

TLS / JA3

tls.sni

tls.sni; content:"evil.io";

TLS SNI (Server Name Indication) in the ClientHello. Visible even in encrypted traffic.

ja3.hash

ja3.hash; content:"51c64c77e60f3980eea90869b68c58a8";

JA3 fingerprint of TLS ClientHello parameters. Identifies specific TLS clients/malware families.

ja3s.hash

ja3s.hash; content:"...";

JA3S fingerprint of TLS ServerHello. Detect specific server-side TLS configurations and C2 servers.

tls.cert_subject

tls.cert_subject; content:"CN=evil";

Match on TLS certificate subject field. Useful for self-signed cert detection and pinning.

Application Protocol Parsers

HTTP / HTTP2

Full request/response parsing. Decodes chunked encoding, gzip bodies, URI normalization. Enables sticky buffers for method, URI, headers, cookies, body.

http.urihttp.method http.hosthttp.user_agent http.request_bodyhttp.response_body http.stat_codehttp.cookie

TLS / SSL

Parses handshake metadata without decryption. Extracts SNI, cipher suites, certificate chains, ALPN, and computes JA3/JA3S fingerprints.

tls.snitls.cert_subject tls.cert_issuertls.version ja3.hashja3s.hash

DNS

Query and response inspection. Match on domain name, record type (A, AAAA, MX, TXT, CNAME), answer data. Detect DGA, DNS tunneling, malware C2.

dns.querydns.answer dns.rrtypedns.rcode dns.query.name

SSH

Protocol version and banner inspection. Detect unauthorized software, brute-force attempts, and malicious SSH clients by version string.

ssh.protossh.software ssh.hasshssh.hassh.server

SMTP

Mail command inspection. Match on MAIL FROM, RCPT TO, HELO/EHLO banner, and message headers. Detect phishing, spam relaying, and malware delivery.

smtp.mail_fromsmtp.rcpt_to smtp.helo

SMB

Windows file sharing. Detect EternalBlue exploitation (MS17-010), ransomware lateral movement, credential relay attacks, and unauthorized file access.

smb.named_pipesmb.share smb.versionsmb.command

FTP

Command and data channel inspection. Match on FTP commands (USER, PASS, RETR, STOR), filenames, and banners for credential harvesting and file exfil detection.

ftp.commandftp.data ftpdata.command

NFS / DCERPC

Network File System and Windows RPC parser. Detect reconnaissance, exploitation of RPC services, and unauthorized NFS mount attempts.

nfs.proceduredcerpc.iface dcerpc.opnumdcerpc.stub_data

Threat Detection Use Cases

Threat	Protocol	Detection Approach
C2 Beaconing	HTTP/TLS	Match known bad User-Agents, JA3 hashes, or SNI domains. Use threshold to catch periodic beacons.
DNS Tunneling	DNS	Long subdomain queries, high query frequency, non-standard record types (TXT/NULL) carrying data.
SQLi / XSS	HTTP	Match attack payloads in http.uri, http.request_body using content keywords or PCRE patterns.
EternalBlue	SMB	Existing ET rules (ET:2026547) match the specific SMB_COM_TRANSACTION2 exploit negotiation sequence.
Port Scanning	TCP	SYN flag match + detection_filter tracking by_src across many destination ports in a short window.
Brute Force	SSH/FTP	Flow direction + detection_filter counting connection attempts per source IP within a time window.
Malware Download	HTTP	Match PE magic bytes (MZ/\|4D 5A\|) in http.response_body; use filestore to extract and hash files.
Data Exfil	HTTP/DNS	Large POST bodies to external IPs, unusual DNS TTLs, high-entropy subdomain labels.

EVE JSON — Unified Log Format

EVE JSON (/var/log/suricata/eve.json) is Suricata's primary output. Every event — alerts, flows, DNS, HTTP, TLS, files — is emitted as a JSON object on one line. Each event has a event_type field distinguishing its schema.

event_type: alert Sev 1

timestamp, src_ip, dest_ip,
alert.signature, alert.sid,
alert.severity, alert.category,
proto, flow_id, payload_printable

event_type: flow

src_ip, dest_ip, proto,
flow.pkts_toserver, flow.pkts_toclient,
flow.bytes_toserver, flow.bytes_toclient,
flow.start, flow.end, app_proto

event_type: dns

dns.type (query/answer),
dns.rrname, dns.rrtype,
dns.rcode, dns.ttl,
dns.rdata, dns.id

event_type: http

http.hostname, http.url,
http.http_method, http.status,
http.http_user_agent,
http.length, http.protocol

event_type: tls

tls.subject, tls.issuerdn,
tls.sni, tls.version,
tls.ja3.hash, tls.ja3s.hash,
tls.notbefore, tls.notafter

event_type: fileinfo

fileinfo.filename, fileinfo.size,
fileinfo.md5, fileinfo.sha256,
fileinfo.magic, fileinfo.stored,
fileinfo.gaps, fileinfo.state

event_type: ssh

ssh.client.proto_version,
ssh.client.software_version,
ssh.server.proto_version,
ssh.hassh.hash, ssh.hassh.server.hash

event_type: smtp

smtp.mail_from,
smtp.rcpt_to[],
smtp.helo,
email.from, email.to[]

Other Log Files

fast.log

One-line alert summary. Legacy format; use EVE JSON for production pipelines.

stats.log

Periodic internal performance counters: packets/s, drops, decoder errors, rule matches.

suricata.log

Engine startup, shutdown, rule loading, and error messages. Check here when rules fail to load.

http.log

Legacy HTTP log. One HTTP request per line. EVE JSON http events are richer.

tls.log

TLS session metadata. Certificate SNI and fingerprints. Useful for quick grep-based analysis.

SIEM Integration

Elasticsearch / Kibana

Use Filebeat with the Suricata module. EVE JSON maps cleanly to ECS fields. Kibana dashboards available out-of-box.

Splunk

Suricata TA on Splunkbase. JSON sourcetype auto-parses EVE fields. Security Essentials app has pre-built alerts.

Grafana / Loki

Promtail ships EVE JSON to Loki. Use LogQL to filter by event_type. Prometheus metrics via stats.log export.

Redis / Kafka

Native EVE output plugins for Redis LPUSH and Kafka producer. Zero-copy streaming to distributed pipelines.

suricata — Engine Commands

suricata -c /etc/suricata/suricata.yaml -i eth0

Start Suricata in IDS mode reading live traffic from interface eth0.

suricata -c suricata.yaml -r capture.pcap

Offline PCAP analysis. Process a packet capture file and write EVE JSON output.

suricata --af-packet=eth0 -D

Run in AF_PACKET mode as a daemon. More efficient than basic PCAP for high-throughput environments.

suricata -T -c suricata.yaml

Test configuration and rule files for syntax errors. Exits with 0 on success; useful in CI pipelines.

suricata -S local.rules -r test.pcap

Load only a specific rules file (disable suricata.yaml rule-files). Great for testing individual rules.

suricata --list-app-layer-protos

Print all supported application-layer protocol parsers compiled into this build.

suricata --list-keywords

List all detection keywords available in this build (including Lua scripting support).

suricata --build-info

Print version, compile flags, and which optional features (Hyperscan, DPDK, etc.) are enabled.

suricata-update — Rule Management

suricata-update

Download and install all configured rule sources. Merges, deduplicates, and writes final rules.rules.

suricata-update list-sources

Show all available rule providers (ET Open, ET Pro, PTRESEARCH, Stamus, abuse.ch, etc.).

suricata-update enable-source et/open

Add Emerging Threats Open ruleset as a source. Free, community-maintained, updated daily.

suricata-update enable-source etpro/etpro --secret-code KEY

Enable ET Pro (commercial). Faster signatures, lower false positives, additional threat coverage.

suricata-update list-enabled-sources

List currently enabled rule sources and their last update timestamps.

suricata-update --disable-conf disable.conf

Suppress specific SIDs or entire categories. Pass a file listing SIDs or regex patterns to disable.

suricata-update --reload-command "kill -USR2 $(cat /run/suricata.pid)"

After updating rules, send USR2 signal to reload without restart. Zero-downtime rule refresh.

Runtime Control (Unix Socket)

suricatasc -c iface-list

List active capture interfaces and per-interface packet counters.

suricatasc -c ruleset-reload-rules

Hot-reload signatures without restarting the engine. Equivalent to SIGUSR2.

suricatasc -c dump-counters

Dump all internal performance counters as JSON to stdout. Useful for monitoring scripts.

suricatasc -c pcap-file -a '{"filename":"x.pcap"}'

Submit a PCAP file for analysis while the engine is running in offline PCAP server mode.

kill -USR2 $(cat /run/suricata.pid)

POSIX signal to trigger a rule reload. USR2 = reload rules. USR1 = rotate log files.

kill -HUP $(cat /run/suricata.pid)

SIGHUP: reload configuration. May cause a brief interruption; prefer USR2 for rule-only reloads.

Useful Queries on EVE JSON

jq 'select(.event_type=="alert")' eve.json

Filter alert events only from the EVE log stream.

jq '.alert.signature_id' eve.json | sort | uniq -c | sort -rn

Count and rank triggered rule SIDs by frequency.

jq 'select(.event_type=="dns") | .dns.rrname' eve.json | sort | uniq -c

Summarize all DNS queries seen. Useful for spotting DGA or unusual domains.

jq 'select(.event_type=="tls") | .tls.sni' eve.json | sort -u

List all unique TLS SNI values observed. Enumerate encrypted connections by destination.

jq 'select(.event_type=="fileinfo") | {file:.fileinfo.filename,sha256:.fileinfo.sha256}' eve.json

Extract filenames and SHA256 hashes of files observed transiting the network.

Suricata vs Snort — At a Glance

Snort (1998, Sourcefire/Cisco) and Suricata (2009, OISF) share the same rule language roots but diverge significantly in architecture, performance, and capability. For most new deployments, Suricata is the default choice — but Snort 3 has closed many historical gaps.

Head-to-Head Comparison

Feature	Suricata	Snort 3
First release	2009 (OISF)	1998 (Sourcefire → Cisco)
Threading model	Native multi-thread — one worker per CPU core, scales linearly to 10–100 Gbps	Multi-thread since Snort 3 (2021); single-thread in legacy Snort 2
Rule language	Superset of Snort rules. Adds sticky buffers, `http.` keywords, `tls.`, `dns.`, `ja3.`, flowint, datasets	Snort 3 rewrote rule syntax; adds its own sticky buffers. Not fully backward-compatible with Snort 2
Snort rule compatibility	Runs most Snort 2 rules unmodified. ET Open rules ship for both	Snort 3 broke some Snort 2 syntax; migration tool available
App-layer parsers	Built-in: HTTP/2, TLS, DNS, SMB, FTP, SSH, SMTP, NFS, DCERPC, SIP, MODBUS, DNP3, and more	HTTP, DNS, TLS, FTP, SMB, SIP via plugins. Fewer built-in; extensible via Lua/C++ plugins
TLS inspection	JA3/JA3S fingerprinting, SNI, cert fields — all built-in, zero config	JA3 available via plugin. SNI inspection supported in Snort 3
Output formats	EVE JSON (rich unified log), fast.log, pcap, Redis, Kafka, Unix socket, Syslog	Unified2 (legacy binary), JSON alert output. EVE-style JSON not native — use Barnyard2 or plugins
File extraction	Native: HTTP, SMTP, FTP, SMB. MD5/SHA1/SHA256 hashing, YARA integration	File inspection via preprocessors. Less seamless than Suricata's built-in pipeline
Packet capture	AF_PACKET, DPDK, PF_RING, PCAP, NFQ (inline IPS)	PCAP, DAQ abstraction layer (AF_PACKET, NFQ, DPDK via DAQ plugins)
IPS inline mode	NFQ and AF_PACKET XDP inline — drop/reject/pass in production traffic	NFQ and DAQ-based inline. Equivalent capability, slightly more config overhead
Scripting	Lua scripting for custom detection logic (luajit). Datasets for bulk IP/domain lookups	Snort 3 is plugin-based (C++/Lua). More extensible at the core level
Rule sets	ET Open (free), ET Pro (commercial), Abuse.ch, PTRESEARCH, Stamus, custom — via suricata-update	Talos Intelligence (Cisco) — industry's largest commercial ruleset, included with Snort subscription
SIEM integration	EVE JSON → Elastic (native module), Splunk TA, Grafana/Loki, Kafka pipelines	Unified2 requires Barnyard2 bridge. Snort 3 JSON output improving but less mature ecosystem
Performance ceiling	100 Gbps+ with DPDK/PF_RING on multi-core hardware	Competitive with Snort 3 multi-thread, but DPDK support lags
License	GPLv2 (engine), MIT (libraries). OISF-governed, vendor-neutral	GPLv2 but commercially controlled by Cisco. Talos rules are proprietary
Governance	Open Information Security Foundation (OISF) — community + corporate members	Cisco/Talos. Community edition free; Pro features behind subscription
Maturity / community	Dominant in open-source deployments. Default in Security Onion, Elastic SIEM, Stamus	Older, larger install base historically. Talos ruleset unmatched for enterprise depth

Rule Syntax Differences

Sticky buffers — Suricata

          http.uri; content:"/admin";

          http.user_agent; content:"curl";

          tls.sni; content:"evil.io";

          dns.query; content:"malware";

Content modifiers — Snort 2

          content:"/admin"; http_uri;

          content:"curl"; http_header;

          content:"evil.io"; ssl_state:client_hello;

          # modifier goes after content

Suricata-only keywords

          ja3.hash; ja3s.hash;

          flowint:counter,+,1;

          dataset:isset,bad-ips;

          filesha256:malware.list;

Snort 3 sticky buffers

          http_uri; content:"/admin";

          http_header; content:"curl";

          # Snort 3 adopted sticky buffer

          # style, similar to Suricata

When to Choose Each

Choose Suricata when…

You need multi-gigabit throughput on commodity hardware. You want EVE JSON feeding into Elastic/Splunk/Kafka. You need JA3 fingerprinting, file extraction, or flow metadata without add-ons. You prefer vendor-neutral open governance. You're deploying on Security Onion, Elastic SIEM, or Stamus Networks.

Choose Snort when…

You have a Cisco/Talos subscription and want the deepest commercial ruleset available. You're already running Firepower/FTD (Snort is the embedded engine). Your team has deep Snort 2 expertise and an existing Snort 2 rule library. You need Cisco TAC support for your IDS.

Quick Facts

	Suricata	Snort
Created by	OISF (Open Information Security Foundation)	Martin Roesch at Sourcefire (now Cisco)
Written in	C (engine), Lua (scripting)	C (Snort 2), C++ (Snort 3)
Latest stable	Suricata 7.x (2024)	Snort 3.x / Snort 2.9.x (legacy)
Default in	Security Onion, pfSense (option), OPNsense (option)	Cisco Firepower, pfSense (option), OPNsense (option)
Shared rule format	Yes — ET Open rules published for both engines

Suricata IDS/IPS