All features

Complete list of Suricata Features


  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing
  • Advanced integration with Linux Netfilter firewalling

Operating System Support

  • Linux
  • FreeBSD
  • OpenBSD
  • macOS / Mac OS X
  • Windows


  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files

TCP/IP engines

  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly

Protocol parsers

  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
  • App layer decoding of:
    • New protocols developed in the Rust language, for safe and fast decoding.

HTTP engine

  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
    • decompress flash files
    • and many more

Detection engine

  • Protocol keywords
  • Multi-tenancy per vlan or capture device
  • xbits – flowbits extension
  • PCRE support
    • substring capture for logging in EVE
  • fast_pattern and prefilter support
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting for custom detection logic
  • Hyperscan integration


  • Eve log, all JSON alert and event output
  • Lua output scripts for generating your own output formats
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • drop log — netfilter style log of dropped packets in IPS mode
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk, with deduplication in the v2 format
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging

Alert/Event filtering

  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings

Packet acquisition

  • High performance capture
      • experimental eBPF and XDP modes available
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera

Multi Threading

  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling

IP Reputation

  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges


  • Suricata-Update for easy rule update management
  • Suricata-Verify for QA during development