Features

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

TLS/SSL Logging and Analysis: Not only can you match against most aspects of an SSL/TLS exchange within the ruleset language thanks to Suricata’s TLS Parser, you can also log all key exchanges for analysis. Great way to make sure your network is not the victim of a less than reputable certificate authority.

HTTP Logging: Why add more hardware into your network just to log http activity when your IDS already sees it? Suricata will log all HTTP connections on any port to file for later analysis.

DNS Logging: Suricata will log all DNS queries and responses.

For complete information and logging formats available click here.

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

Advanced analysis and functionality available to detect things not possible within the ruleset syntax.

Our main logging output is called “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.

Scirius CE hunt mode, correlation showing a request with executable file in response.

Splunk Enterprise – there is a free Suricata app in the Splunk store made by Eric Leblond at Stamus Networks

Suricata’s Flow ID in action in EveBox, correlating alerts, anomaly events, & protocol data/NSM

Alert and protocol/NSM data

Application Layer Anomaly in Kibana

File ID/Transactions in Kibana