Suricata
Awesome Suricata ¶
Curated list of awesome things related to Suricata.
Suricata is a free intrusion detection/prevention system (IDS/IPS) and network security monitoring engine.
Input Tools¶
- PacketStreamer - Distributed tcpdump for cloud native environments.
Output Tools¶
- suricata-kafka-output - Suricata Eve Kafka Output Plugin for Suricata 6.
- suricata-redis-output - Suricata Eve Redis Output Plugin for Suricata 7.
- Meer - Meer is a "spooler" for Suricata / Sagan.
- FEVER - Fast, extensible, versatile event router for Suricata's EVE-JSON format.
- Suricata-Logstash-Templates - Templates for Kibana/Logstash to use with Suricata IDPS.
- Lilith - Reads EVE files into SQL as well as search stored data.
Operations, Monitoring and Troubleshooting¶
- slinkwatch - Automatic enumeration and maintenance of Suricata monitoring interfaces.
- suri-stats - A tool to work on suricata
stats.log
file. - Mauerspecht - Simple Probing Tool for Corporate Walled Garden Networks.
- ansible-suricata - Suricata Ansible role (slightly outdated).
- MassDeploySuricata - Mass deploy and update Suricata IDPS using Ansible IT automation platform.
- docker-suricata - Suricata Docker image.
- Suricata-Monitoring - LibreNMS JSON / Nagios monitor for Suricata stats.
- Terraform Module for Suricata - Terraform module to setup Google Cloud packet mirroring and send packets to Suricata.
- InfluxDB Suricata Input Plugin - Input Plugin for Telegraf to collect and forward Suricata
stats
logs (included out of the box in recent Telegraf releases). - suricata_exporter - Simple Prometheus exporter written in Go exporting stats metrics scraped from Suricata socket.
Programming Libraries and Toolkits¶
- rust-suricatax-rule-parser - Experimental Suricata Rule Parser in Rust.
- go-suricata - Go Client for Suricata (Interacting via Socket).
- gonids - Go library to parse intrusion detection rules for engines like Snort and Suricata.
- surevego - Suricata EVE-JSON parser in Go.
- suricataparser - Pure python parser for Snort/Suricata rules.
- py-idstools - Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool).
Dashboards and Templates¶
- KTS - Kibana 4 Templates for Suricata IDPS Threat Hunting.
- KTS5 - Kibana 5 Templates for Suricata IDPS Threat Hunting.
- KTS6 - Kibana 6 Templates for Suricata IDPS Threat Hunting.
- KTS7 - Kibana 7 Templates for Suricata IDPS Threat Hunting.
Development Tools¶
- Suricata Language Server - Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.
- suricata-ls-vscode - Suricata IntelliSense Extension using the Suricata Language Server.
- suricata-highlight-vscode - Suricata Rules Support for Visual Studio Code (syntax highlighting, etc).
- SublimeSuricata - Basic Suricata syntax highlighter for Sublime Text.
Documentation and Guides¶
- SEPTun - Suricata Extreme Performance Tuning guide.
- SEPTun-Mark-II - Suricata Extreme Performance Tuning guide - Mark II.
- suricata-4-analysts - The Security Analyst's Guide to Suricata.
- Suricata Community Style Guide - A collaborative document to collect style guidelines from the community of rule writers.
Analysis Tools¶
- Suricata Analytics - Various resources that are useful when interacting with Suricata data.
- Malcolm - A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
- Evebox - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.
Rule Sets¶
- nids-rule-library - Collection of various open-source and commercial rulesets.
- Stamus Lateral Movement Detection Rules - Suricata ruleset to detect lateral movement.
- QuadrantSec Suricata Rules - QuadrantSec Suricata rules.
- Cluster25/detection - Cluster25's detection rules.
- Networkforensic.dk (NF) rules sets:
- NF IDS rules
- NF SCADA IDS Rules
- NF Scanners IDS Rules
- Quantum Insert detection for Suricata - Suricata rules accompanying Fox-IT's QUANTUM 2015 blog/BroCon talk.
- Hunting rules - Suricata IDS alert rules for network anomaly detection from Travis Green.
- 3CORESec NIDS - Lateral Movement - Suricata ruleset focusing on lateral movement techniques (paid).
- 3CORESec NIDS - Sinkholes - Suricata ruleset focused on a curated list of public malware sinkholes (free).
- PAW Patrules - Another free (CC BY-NC-SA) collection of rules for the Suricata engine.
- opnsense-suricata-nmaps - OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans.
-
Antiphishing - Suricata rules and datasets to detect phishing attacks.
-
sidallocation.org - Sid Allocation working group, list of SID ranges.
- Scirius - Web application for Suricata ruleset management and threat hunting.
- IOCmite - Tool to create dataset for suricata with indicators of MISP instances and add sightings in MISP if an indicator of dataset generates an alert.
- luaevilbit - An Evil bit implementation in luajit for Suricata.
- Lawmaker - Suricata IDS rule and fleet management system.
- surify-cli - Generate suricata-rules from collection of IOCs (JSON, CSV or flags) based on your suricata template.
- suricata-prettifier - Command-line tool to format and syntax highlight Suricata rules.
- OTX-Suricata - Create rules and configuration for Suricata to alert on indicators from an OTX account.
- Aristotle - Simple Python program that allows for the filtering and modifying of Suricata and Snort rulesets based on interpreted key-value pairs present in the metadata keyword within each rule.
Plugins and Extensions¶
- suricata-zabbix - Zabbix application layer plugin for Suricata.
Systems Using Suricata¶
- SELKS - A Suricata-based intrusion detection system/intrusion prevention system/network security monitoring distribution.
- Amsterdam - Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.
- pfSense - A free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
- OPNsense - An open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
Training¶
- Experimental Suricata Training Environment - Experimental Suricata Training Environment.
- CDMCS - Cyber Defence Monitoring Course: Rule-based Threat Detection.
Simulation and Testing¶
- Leonidas - Automated Attack Simulation in the Cloud, complete with detection use cases.
- speeve - Fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications.
- Dalton - Suricata and Snort IDS rule and pcap testing system.
Data Sets¶
- suricata-sample-data - Repository of creating different example suricata data sets.
Misc¶
- Suriwire - Wireshark plugin to display Suricata analysis info.
- bash_cata - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
- suriGUI - GUI for Suricata + Qubes OS.