top of page
  • Writer's pictureBrian


Suricata is a popular open-source Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) solution. You may have heard of another similar solution known as Snort. The non-profit Open Information Security Foundation (OISF) created and currently maintains Suricata. Suricata utilizes rulesets containing signatures, and these rules define the actions Suricata takes when a rule match occurs (OISF, 2021). When configured as an IDS, Suricata can generate alerts by matching data from network packets to a ruleset containing Suricata rules.


Network Security Monitoring

NSM is a cyclical process of collection, detection, and analysis of network data. Before the inception of NSM, the detection was performed via a process known as intrusion detection, which neglected the collection and analysis portions of NSM. Additionally, NSM is a threat-centric approach where intrusion detection is vulnerability-centric. Threat-centric methods utilize threat intelligence to detect items that fall within an organization's threat model (Sanders & Smith, 2015). Suricata is useful in the practice of network security monitoring. Security analysts can develop signatures that generate an alert upon anomaly detection. Signature-based NSM solutions function very similarly to signature-based antivirus solutions (Andress, 2019).

If an anomaly is discovered that does not already have a corresponding rule for detection, a rule can be written to detect the anomaly. Once you have a rulefile containing the newly written rule, Suricata will need to be configured to use this ruleset. This can easily be done by manipulating a Suricata configuration file.


If you have not already, I recommend checking out Suricata.

Information about installing Suricata can be found here:



Andress, J. (2019). Foundations of Information Security. No Starch Press.

Open Information Security Foundation. (2021). Suricata User Guide.

Sanders, C., & Smith, J. (2014) Applied Network Security Monitoring. Syngress

Recent Posts

See All


bottom of page