Thiago Teixeira

EN | PT

SUR

Suricata

OISF

Multi-threaded IDS/IPS engine with deep protocol awareness and Lua scripting.

Network Recon & Monitoring Free & Open Source Platform / Suite Practiced in lab Cross-platform

Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Suricata is the modern open-source NIDS/IPS engine maintained by the Open Information Security Foundation (OISF). It is Snort-rule compatible but adds:

Multi-threaded capture for 10/40/100 GbE.
Protocol identification independent of port (TLS on 8443? still flagged as TLS).
EVE JSON output that ships natively into ELK / Splunk / OpenSearch.
File extraction and SHA-256 hashing for every file seen.
Lua scripting for custom detections.

Use cases

High-throughput perimeter detection
Replacing or complementing legacy Snort sensors
Generating file hashes for IOC matching against MISP

Example

suricata -c /etc/suricata/suricata.yaml -i eth0 --runmode=workers