Suricata: network IDS, IPS and NSM engine

What is Suricata

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry but will bring new ideas and technologies to the field. The Suricata Engine and the HTP Library are available to use under the GPLv2.

IDS/IPS

Suricata is a rule-based ID/PS engine that utilizes externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, Suricata features unified output functionality and pluggable library options to accept calls from other applications.
The initial release of Suricata runs on a Linux 2.6 platform that supports inline and passive traffic monitoring configuration capable of handling multiple gigabit traffic levels. Linux 2.4 is supported with reduced configuration functionality, such as no inline option.
Available under Version 2 of the General Public License, Suricata eliminates the ID/PS engine cost concerns while providing a scalable option for the most complex network security architectures.

Multi-threading

As a multi-threaded engine, Suricata offers increased speed and efficiency in network traffic analysis. In addition to hardware acceleration (with hardware and network card limitations), the engine is built to utilize the increased processing power offered by the latest multi-core CPU chipsets. Suricata is developed for ease of implementation and accompanied by a step-by-step getting started documentation and user manual.

Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences:

• in IPS mode a crash may knock a network offline;
• in passive mode a compromise of the IDS may lead to loss of critical and confidential data;
• missed detection may lead to undetected compromise of the network.

rusted devs and core team members are able to submit builds to our (semi) public Buildbot instance. It will run a series of build tests and a regression suite to confirm no existing features break.

The final QA run takes a few hours minimally and is started by Victor. It currently runs:

• extensive build tests on different OS’, compilers, optimization levels, configure features
• static code analysis using cppcheck, scan-build
• runtime code analysis using Valgrind, DrMemory, AddressSanitizer, LeakSanitizer
• regression tests for past bugs
• output validation of logging
• UNIX socket testing
• pcap based fuzz testing using ASAN and LSAN

Next to these tests, based on the type of code change further tests can be run manually:

• traffic replay testing (multi-gigabit)
• large pcap collection processing (multi-terabytes)
• AFL based fuzz testing (might take multiple days or even weeks)
• pcap based performance testing
• live performance testing
• various other manual tests based on an evaluation of the proposed changes

Download && Tutorial

Copyright 2016, OISF