All features

Complete list of Suricata Features

Engine

  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing

Operating System Support

  • Linux
  • FreeBSD
  • OpenBSD
  • Mac OS X
  • Windows

Configuration

  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files

TCP/IP engines

  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly

Protocol parsers

  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ
  • App layer decoding of:
    • HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS

HTTP engine

  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host

Detection engine

  • Protocol keywords
  • PCRE support
  • fast_pattern
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • CUDA GPU acceleration for pattern matching
  • Lua scripting

Outputs

  • Eve log, all JSON alert and event output
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Pcap info — for integration into wireshark via suriwire
  • Prelude support
  • drop log — netfilter style log of dropped packets in IPS mode
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk
  • DNS request/reply logger

Alert/Event filtering

  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings

Packet acquisition

  • High performance capture
    • AF_PACKET
    • PF_RING
  • Standard capture
    • PCAP
  • IPS mode
    • Netfilter based on Linux
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera

Multi Threading

  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling

IP Reputation

  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support