Suricata
What is Suricata?
SuricataAn open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
Suricata is a multi-threaded, open-source network security engine first released in 2010 and developed by the Open Information Security Foundation (OISF). It supports intrusion detection (IDS), inline intrusion prevention (IPS), and rich network security monitoring (NSM), producing logs in EVE JSON, protocol metadata (HTTP, TLS, DNS, SMB, Kerberos), and extracted files. Suricata understands Snort-compatible rules plus its own keywords (Lua, datasets, ja3, ja4), letting analysts reuse community rulesets such as ET Open and Talos. It is widely deployed at internet egress, in cloud TAPs, and in SOC sensor fleets, often alongside Zeek for richer protocol decoding.
● Examples
- 01
Running Suricata in inline IPS mode on a perimeter firewall to drop traffic matching ET Open rules.
- 02
Feeding Suricata EVE JSON logs into a SIEM for correlation with endpoint telemetry.
● Frequently asked questions
What is Suricata?
An open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF). It belongs to the Defense & Operations category of cybersecurity.
What does Suricata mean?
An open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
How does Suricata work?
Suricata is a multi-threaded, open-source network security engine first released in 2010 and developed by the Open Information Security Foundation (OISF). It supports intrusion detection (IDS), inline intrusion prevention (IPS), and rich network security monitoring (NSM), producing logs in EVE JSON, protocol metadata (HTTP, TLS, DNS, SMB, Kerberos), and extracted files. Suricata understands Snort-compatible rules plus its own keywords (Lua, datasets, ja3, ja4), letting analysts reuse community rulesets such as ET Open and Talos. It is widely deployed at internet egress, in cloud TAPs, and in SOC sensor fleets, often alongside Zeek for richer protocol decoding.
How do you defend against Suricata?
Defences for Suricata typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Suricata?
Common alternative names include: Suricata IDS, Suricata IPS.
● Related terms
- network-security№ 547
Intrusion Detection System (IDS)
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
- network-security№ 548
Intrusion Prevention System (IPS)
An inline security control that detects malicious traffic and actively blocks, resets, or scrubs it in real time.
- defense-ops№ 1061
Snort Rule
A signature in the Snort intrusion-detection rule language that describes network traffic patterns to alert on or block in IDS or IPS mode.
- defense-ops№ 1261
Zeek
An open-source network security monitor (formerly Bro) that turns network traffic into structured, protocol-aware logs and scripts for threat detection.
- network-security№ 295
Deep Packet Inspection (DPI)
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
- network-security№ 724
Network-Based IDS (NIDS)
An intrusion-detection sensor that inspects traffic captured from a network segment to identify malicious patterns and policy violations.
● See also
- № 1245Wireshark
- № 997Security Onion