# Suricata
Suricata is an open-source, multi-threaded network threat detection engine maintained by the Open Information Security Foundation (OISF). It was built to address a specific and persistent gap: the inability of single-threaded inspection engines to keep pace with modern network throughput while simultaneously performing deep packet inspection, protocol analysis, and structured log generation. Suricata fills the role of intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) platform within a single deployable binary. Organizations operating at high traffic volumes, from enterprise data centers to internet service providers, rely on Suricata to detect threats in real time, extract actionable metadata from network flows, and feed downstream analytics platforms with structured, query-ready telemetry.
---
Suricata is a rule-based and protocol-aware network analysis engine. It inspects packets, reassembles streams, decodes application-layer protocols, matches signatures, and produces structured output logs, all within a single pipeline optimized for multi-core hardware. The OISF released Suricata in 2009 as a direct response to the architectural limitations of Snort, which was, at the time, a single-threaded engine unable to saturate multiple CPU cores without external load-balancing workarounds.
Suricata is not a firewall. It does not make routing or access-control decisions at the packet level based on source and destination rules alone. It is not a SIEM. It does not store, correlate, or visualize events natively over long time horizons. It is not a full endpoint detection tool. Its visibility is confined to the network layer and the application protocols traversing it.
Suricata operates in three distinct deployment modes. In IDS mode, it inspects a copy of traffic (via SPAN port or tap) and generates alerts without blocking traffic. In IPS mode, it sits inline and can drop or reject packets that match configured threat signatures. In NSM mode, it focuses on metadata extraction and logging rather than active detection, producing a comprehensive record of every observable network transaction.
Suricata supports a wide range of application-layer protocol parsers including HTTP, HTTP/2, DNS, TLS, SMB, FTP, SMTP, SSH, and DCERPC. This protocol awareness means detection logic can be written against decoded fields, such as HTTP User-Agent strings or TLS SNI values, rather than raw byte patterns. This distinguishes Suricata from simpler packet filters or shallow inspection tools that operate only on layer 3 and layer 4 attributes.
---
Suricata's processing pipeline is divided into discrete, parallelizable stages. Understanding each stage is essential for anyone configuring or tuning the engine for production deployment.
Packet Acquisition
Suricata acquires packets using one of several capture methods depending on the environment. AF_PACKET is the standard Linux kernel interface and is sufficient for most deployments up to approximately 10 Gbps on modern hardware. PF_RING and its zero-copy variant (PF_RING ZC) reduce kernel overhead by bypassing memory copy operations between kernel and user space. DPDK (Data Plane Development Kit) provides the highest throughput, often used in carrier-grade deployments exceeding 40 Gbps. Netmap is available for BSD environments. The choice of capture method directly affects CPU utilization and packet loss rates under load. For a 1 Gbps enterprise edge deployment, AF_PACKET with multiple receive queues is generally sufficient. For a 10 Gbps datacenter perimeter, PF_RING with RSS (Receive Side Scaling) is a common baseline configuration.
Decoding and Stream Reassembly
After capture, packets are decoded at layer 2 through layer 7. Suricata's stream engine reassembles TCP streams, handling out-of-order segments, retransmissions, and TCP overlaps. This reassembly is critical because attackers routinely fragment payloads across multiple packets to evade signature matches on raw packet content. Without reassembly, a simple evasion technique, splitting a malicious HTTP request across three TCP segments, would defeat a pattern-match against the complete URI string. Suricata's stream engine eliminates this evasion class.
Application Layer Parsing
Once streams are reassembled, Suricata's application-layer transaction parsers decode protocol semantics. For HTTP, this means extracting the method, URI, headers, and body as structured fields. For TLS, Suricata parses the handshake to extract the server certificate, subject, issuer, serial number, and the JA3 or JA4 fingerprint of the client hello. JA3 fingerprinting characterizes the TLS client implementation by hashing specific handshake parameters, which is useful for identifying malware families that use distinctive TLS stacks regardless of the domain they contact.
Detection Engine
The detection engine evaluates traffic against the loaded rule set. Suricata supports Snort-compatible rule syntax (used with Emerging Threats and other community rule sets) and extends that syntax with additional keywords not available in Snort. Examples include tls.sni for matching the SNI field in TLS handshakes, http.uri.raw for matching URI content before normalization, dns.query for matching DNS query names, and filemagic for matching the MIME type of extracted files. Rules can also invoke Lua scripts for complex multi-condition logic, such as detecting when the same source IP contacts more than ten distinct internal hosts over port 445 within 60 seconds, a pattern consistent with SMB-based lateral movement reconnaissance.
EVE JSON Output
Every network event processed by Suricata can be written to EVE (Extensible Event Format), a JSON log stream that records structured metadata for each transaction type. A DNS query generates a dns log record containing the query name, record type, and response. An HTTP transaction generates an http record containing URI, status code, content type, and referrer. An alert generates an alert record containing the rule signature ID, rule message, source and destination, and the matched content. EVE logs are designed for direct ingestion by SIEM platforms such as Elastic Security, Splunk, or Chronicle, enabling correlation, dashboarding, and retrospective threat hunting without any intermediate parsing layer.
A Concrete Scenario
A threat actor delivers a Cobalt Strike beacon via a phishing document. The beacon uses an HTTPS C2 channel. Suricata on the network perimeter, configured with Emerging Threats Pro rules and JA3 fingerprint detection, identifies the TLS client hello fingerprint as matching a known Cobalt Strike malleable C2 profile. Simultaneously, the http EVE log records the beacon's HTTP GET request (tunneled over TLS) to a domain registered 48 hours prior. A DNS log entry shows an initial query for that domain, resolving to an IP with no historical reputation. The combination of JA3 match, recently registered domain, and absence of historical DNS traffic for that destination triggers an alert correlated in the SIEM within seconds of the beacon's first check-in. Without Suricata, the encrypted traffic would have passed through a basic firewall as permitted HTTPS, and the beacon would have operated undetected.
---
Network telemetry is a foundational layer of any mature security operations program. Without high-fidelity, protocol-aware logging of what is actually traversing the network, security teams are constrained to endpoint and log-source data that is often incomplete, manipulated by an attacker who has gained host access, or simply not present for unmanaged devices such as printers, OT controllers, or guest network endpoints. Suricata provides visibility that is independent of the endpoint, which makes it resistant to common attacker techniques like log tampering or EDR evasion.
The business consequence of operating without network detection capability is well documented. The 2020 SolarWinds supply chain compromise is a relevant example. While the initial access vector was a software update mechanism, the attacker's post-compromise behavior included DNS-based C2 communication and lateral movement over SMB. Organizations that had deployed network monitoring with protocol-aware DNS and SMB logging had an opportunity to detect anomalous behavior patterns weeks before indicators of compromise were publicly released. Those relying solely on perimeter firewalls and endpoint agents largely missed the activity until third-party notification.
A common misconception about Suricata is that rule coverage alone determines detection quality. This is incorrect. The EVE metadata layer provides independent detection value through behavioral analysis, even when no rule fires. An analyst searching for all internal hosts that issued DNS queries for newly registered domains in the past 30 days can answer that question from Suricata's DNS logs without any signature having matched. This transforms Suricata from a passive alert generator into an active threat-hunting data source.
Another misconception is that Suricata requires tuning only at initial deployment. In practice, rule sets must be reviewed and tuned continuously as attacker techniques evolve, network topology changes, and new application protocols are introduced. Deploying Suricata and leaving it unattended produces alert fatigue through false positives, which causes analysts to suppress categories of alerts that may contain genuine detections.
---
The Cyber Defense Advisors (CDA) approach to Suricata is grounded in the Planetary Defense Model (PDM), specifically the Threat Intelligence and Detection (TID) and Vulnerability and Security Data (VSD) domains. CDA's guiding methodology is Predictive Defense Intelligence (PDI): "See the threat before it sees you." Within that framework, Suricata is not simply a detection tool. It is a continuous intelligence-collection platform positioned at network observation points to feed forward-looking analysis.
CDA positions Suricata deployments at multiple visibility tiers simultaneously: internet perimeter, east-west datacenter segments, and cloud egress points. Most organizations deploy network detection only at the perimeter, which provides no visibility into lateral movement after an initial compromise. CDA's PDM-driven architecture treats internal segment monitoring as equally important, because post-breach attacker behavior, credential harvesting, SMB scanning, internal phishing, is almost entirely invisible to perimeter-only sensors.
From a TID domain perspective, CDA integrates Suricata EVE telemetry directly with threat intelligence platforms (TIPs) to enable indicator enrichment at ingestion time. When Suricata logs a DNS query, that query is cross-referenced in real time against threat intelligence feeds for domain reputation, registration age, and infrastructure overlap with known threat actor infrastructure. This is the operational expression of PDI: enriching raw network observations with intelligence context before they reach the analyst queue.
From a VSD domain perspective, Suricata's protocol metadata reveals exposed services and misconfigured applications. SMB logs showing unauthenticated access attempts against internal servers indicate both active threats and unpatched or misconfigured hosts. HTTP logs revealing internal systems making outbound connections to update services on non-standard ports surface policy violations and potential staging behavior.
CDA differs from standard Suricata deployments by treating the engine's configuration as a living document tied to the client's threat model, not a static installation. Rule sets are reviewed quarterly against the MITRE ATT&CK framework to ensure detection coverage maps to the techniques most relevant to the client's industry and adversary profile.
---
---
---