Intrusion Detection Systems: A Short Dive into Suricata

Network security monitoring is regular practice in defensive cybersecurity. Intrusion Detection Systems (IDS) provide this critical capability. There are plenty of options for security organizations to choose from—open-source solutions like Suricata, Snort, Zeek, and Security Onion, as well as commercial platforms like Cisco Firepower, Palo Alto Networks Advanced Threat Prevention, Trend Micro TippingPoint, and Fortinet FortiGate IPS. Let's dive into Suricata.

What is Suricata?

Suricata is a high-performance, open-source network security monitoring tool that functions as both an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Developed by the Open Information Security Foundation (OISF), Suricata was designed from the ground up to leverage multi-threading and modern packet processing techniques, making it capable of handling gigabit-speed traffic on commodity hardware.

Unlike traditional IDS solutions that operate passively and only generate alerts, Suricata supports both detection and prevention modes. In IDS mode, it monitors network traffic and alerts on potentially malicious activity. In IPS mode, it can actively block threats by dropping malicious packets or resetting connections. This flexibility allows organizations to deploy Suricata for passive monitoring initially, then transition to active prevention as they gain confidence in their rule sets.

Suricata detects threats through multiple approaches: signature-based detection matches traffic against known attack patterns, protocol analysis examines whether network protocols are being used correctly, and file extraction capabilities allow inspection of files transferred over the network. The tool includes sophisticated parsers for dozens of protocols including HTTP, DNS, TLS, SSH, SMB, and FTP, enabling rules that match on specific application-layer attributes rather than just IP addresses and ports.

Suricata's architecture

Suricata's multi-threaded architecture sets it apart from older IDS solutions. The processing pipeline consists of packet capture threads that acquire packets from network interfaces, decode and stream reassembly threads that reconstruct TCP streams and defragment IP packets, and detection threads that apply rule matching against complete application sessions. This parallelized design allows Suricata to scale effectively across multiple CPU cores.

Beyond simple intrusion alerts, Suricata generates comprehensive network security monitoring data including full packet captures for investigation, extracted file objects from HTTP, FTP, and SMB transfers, connection metadata and flow records, and protocol-specific transaction logs. This multi-faceted logging makes Suricata valuable for threat hunting and forensic investigation, not just real-time detection.

The tool's deep protocol inspection is particularly powerful. Rather than relying on port numbers alone, Suricata identifies applications through protocol analysis and extracts protocol fields for rule matching. This enables detection rules that examine HTTP headers, TLS certificate fields, DNS query types, SMB file shares, and dozens of other application-layer attributes.

File extraction capabilities allow Suricata to reconstruct files transferred over monitored protocols and forward them to external malware analysis systems. The tool can extract executables, documents, and archives, calculate file hashes, and integrate with sandboxes through its EVE JSON logging framework. A Lua scripting engine provides additional extensibility for custom detection logic beyond standard rule matching.

Writing Suricata rules

Suricata rules define detection logic using a syntax compatible with Snort rules while adding Suricata-specific enhancements. A basic rule follows this structure:

action protocol source_ip source_port direction dest_ip dest_port (rule_options)

The action determines the response: alert generates an alert, drop blocks the packet in IPS mode, reject blocks and sends a reset, and pass explicitly allows traffic. Here's an example detecting SQL injection attempts:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SQL Injection Attempt"; flow:to_server,established; http.uri; content:"union"; nocase; content:"select"; distance:0; within:50; classtype:web-application-attack; sid:1000001; rev:1;)

This rule triggers for HTTP traffic toward internal web servers containing "union" followed by "select" within 50 bytes. The flow keyword ensures it only examines client-to-server traffic in established connections, reducing false positives.

Protocol-aware rules leverage Suricata's deep parsing capabilities:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"User-Agent SQLMap"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)

This rule examines only the HTTP User-Agent header rather than searching entire packets, improving both performance and accuracy.

File extraction rules demonstrate advanced capabilities:

alert http any any -> $HOME_NET any (msg:"PE Executable Download"; flow:to_client,established; file.magic:"PE32"; filestore; classtype:policy-violation; sid:1000003; rev:1;)

The filestore keyword instructs Suricata to save the complete file for analysis.

Threshold controls manage alert volume for repeated events:

threshold: type threshold, track by_src, count 10, seconds 60

This generates alerts only after a source triggers the rule 10 times within 60 seconds, useful for detecting scanning or brute-force attacks.

Many organizations use commercial or community rule sets like Emerging Threats (ET), Proofpoint ET Pro, or Cisco Talos VRT rules, supplemented with custom rules for environment-specific threats. Suricata Update simplifies rule management with automated updates.

Additional examples

Detecting DNS tunneling attempts:

alert dns any any -> any any (msg:"Possible DNS Tunneling - Long Subdomain"; dns.query; content:"."; pcre:"/^[a-z0-9]{50,}\./i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1000004; rev:1;)

This rule identifies unusually long DNS subdomains often used for data exfiltration through DNS queries.

Detecting malicious TLS certificates:

alert tls any any -> any any (msg:"Potentially Malicious TLS Certificate - Free Certificate Authority"; tls.cert_subject; content:"Let's Encrypt"; content:"example-phishing"; distance:0; classtype:trojan-activity; sid:1000005; rev:1;)

Monitors TLS certificates containing specific patterns that might indicate phishing infrastructure.

Identifying SSH brute force attempts:

alert ssh any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; flow:to_server; ssh.proto_version:"2.0"; detection_filter:track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1000006; rev:1;)

Triggers when multiple SSH connections from the same source occur within a short timeframe.

Detecting malicious PowerShell download cradles:

alert http any any -> $HOME_NET any (msg:"PowerShell Download Cradle in HTTP"; flow:to_server,established; http.uri; content:"powershell"; nocase; content:"downloadstring"; nocase; distance:0; within:100; classtype:trojan-activity; sid:1000007; rev:1;)

Identifies HTTP requests containing PowerShell commands commonly used to download and execute malicious payloads.

Monitoring for large data uploads:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Large HTTP POST - Possible Data Exfiltration"; flow:to_server,established; http.method; content:"POST"; http.request_body; dsize:>1000000; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:1000008; rev:1;)

Flags POST requests with bodies exceeding 1MB, potentially indicating data exfiltration.

Detecting cryptocurrency mining pool connections:

alert tcp $HOME_NET any -> $EXTERNAL_NET [3333,4444,5555,8332,8333] (msg:"Cryptocurrency Mining Pool Connection"; flow:to_server,established; content:"|7b|"; depth:1; content:"method"; distance:0; within:50; content:"mining"; distance:0; within:100; classtype:policy-violation; sid:1000009; rev:1;)

Identifies connections to common mining pool ports with JSON-RPC mining protocol characteristics.

Deploying Suricata

Effective deployment requires consideration of network placement, system resources, and configuration tuning.

Network placement options:

• Network perimeter: Gateway traffic for inbound attacks and outbound malware beacons
• Internal segments: Detect lateral movement
• Critical assets: Focus monitoring on high-value systems and data
• Cloud environments: Deploy virtual sensors for cloud workload traffic

IDS vs IPS mode: IDS mode operates passively using span ports or network TAPs, generating alerts without affecting traffic flow. IPS mode positions Suricata inline, enabling active threat blocking but becoming a potential bottleneck.

Hardware requirements: A general guideline is to allocate two CPU cores per gigabit of sustained traffic. Memory needs depend on connection tracking—16GB RAM suffices for gigabit links, while 10Gbps+ deployments benefit from 64GB or more. Intel x710 or Mellanox ConnectX network cards deliver superior performance for high-speed links.

Configuration example in /etc/suricata/suricata.yaml:

af-packet:
  - interface: eth1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

stream:
  memcap: 128mb
  max-sessions: 512000
  reassembly:
    memcap: 256mb
    depth: 1mb

Rule management with Suricata Update:

suricata-update update-sources
suricata-update enable-source et/open
suricata-update

Test rule updates in IDS mode before deploying to inline sensors. Review alerts in /var/log/suricata/eve.json during initial deployment to identify problematic rules.

Integration with security infrastructure: Consider forwarding EVE JSON logs to SIEM platforms (Splunk, Elastic Stack), threat intelligence platforms, or security orchestration tools. Suricata can trigger automated responses through external scripts integrated with firewall APIs or incident response platforms.

Conclusion

Intrusion Detection Systems remain fundamental to defense-in-depth security strategies. Suricata represents a mature, high-performance solution suitable for organizations of all sizes, offering capabilities that can match commercial alternatives. The combination of signature detection, protocol analysis, file extraction, and extensible scripting provides flexible detection adapted to specific threat environments without vendor lock-in.

Success with Suricata requires investment in configuration, rule tuning, and operational processes. Organizations that develop this expertise gain powerful detection capabilities and the flexibility to evolve their security monitoring as threats change. Whether deployed in IDS or IPS mode, at the network perimeter or on internal segments, Suricata provides the visibility and control necessary for effective network security monitoring in modern environments.