Skip to content

Suricata

Awesome Suricata Awesome

Curated list of awesome things related to Suricata.

Suricata is a free intrusion detection/prevention system (IDS/IPS) and network security monitoring engine.

Input Tools

Output Tools

  • suricata-kafka-output - Suricata Eve Kafka Output Plugin for Suricata 6.
  • suricata-redis-output - Suricata Eve Redis Output Plugin for Suricata 7.
  • Meer - Meer is a "spooler" for Suricata / Sagan.
  • FEVER - Fast, extensible, versatile event router for Suricata's EVE-JSON format.
  • Suricata-Logstash-Templates - Templates for Kibana/Logstash to use with Suricata IDPS.
  • Lilith - Reads EVE files into SQL as well as search stored data.

Operations, Monitoring and Troubleshooting

  • slinkwatch - Automatic enumeration and maintenance of Suricata monitoring interfaces.
  • suri-stats - A tool to work on suricata stats.log file.
  • Mauerspecht - Simple Probing Tool for Corporate Walled Garden Networks.
  • ansible-suricata - Suricata Ansible role (slightly outdated).
  • MassDeploySuricata - Mass deploy and update Suricata IDPS using Ansible IT automation platform.
  • docker-suricata - Suricata Docker image.
  • Suricata-Monitoring - LibreNMS JSON / Nagios monitor for Suricata stats.
  • Terraform Module for Suricata - Terraform module to setup Google Cloud packet mirroring and send packets to Suricata.
  • InfluxDB Suricata Input Plugin - Input Plugin for Telegraf to collect and forward Suricata stats logs (included out of the box in recent Telegraf releases).
  • suricata_exporter - Simple Prometheus exporter written in Go exporting stats metrics scraped from Suricata socket.

Programming Libraries and Toolkits

  • rust-suricatax-rule-parser - Experimental Suricata Rule Parser in Rust.
  • go-suricata - Go Client for Suricata (Interacting via Socket).
  • gonids - Go library to parse intrusion detection rules for engines like Snort and Suricata.
  • surevego - Suricata EVE-JSON parser in Go.
  • suricataparser - Pure python parser for Snort/Suricata rules.
  • py-idstools - Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool).

Dashboards and Templates

  • KTS - Kibana 4 Templates for Suricata IDPS Threat Hunting.
  • KTS5 - Kibana 5 Templates for Suricata IDPS Threat Hunting.
  • KTS6 - Kibana 6 Templates for Suricata IDPS Threat Hunting.
  • KTS7 - Kibana 7 Templates for Suricata IDPS Threat Hunting.

Development Tools

  • Suricata Language Server - Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.
  • suricata-ls-vscode - Suricata IntelliSense Extension using the Suricata Language Server.
  • suricata-highlight-vscode - Suricata Rules Support for Visual Studio Code (syntax highlighting, etc).
  • SublimeSuricata - Basic Suricata syntax highlighter for Sublime Text.

Documentation and Guides

Analysis Tools

  • Suricata Analytics - Various resources that are useful when interacting with Suricata data.
  • Malcolm - A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
  • Evebox - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.

Rule Sets

Plugins and Extensions

Systems Using Suricata

  • SELKS - A Suricata-based intrusion detection system/intrusion prevention system/network security monitoring distribution.
  • Amsterdam - Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.
  • pfSense - A free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
  • OPNsense - An open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.

Training

Simulation and Testing

  • Leonidas - Automated Attack Simulation in the Cloud, complete with detection use cases.
  • speeve - Fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications.
  • Dalton - Suricata and Snort IDS rule and pcap testing system.

Data Sets

Misc

  • Suriwire - Wireshark plugin to display Suricata analysis info.
  • bash_cata - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
  • suriGUI - GUI for Suricata + Qubes OS.