CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →Snort’s successor
Snort — Martin Roesch’s Intrusion Detection System — has been the open source standard for detecting malicious traffic since the 1990s. By the late 2000s it shows limits though: single-threaded engine, difficulty with IPv6, throughput growth in production networks.
In 2009 the Open Information Security Foundation (OISF) — non-profit consortium with initial funding from US Department of Homeland Security, Navy and private contributors — starts Suricata. Goal: rewrite a modern IDS/IPS in C, with native multi-threaded architecture and extensible design.
Suricata 1.0 was released on 27 July 2010, under GPLv2.
Multi-threading and performance
Suricata exploits all CPU cores with work decomposition:
- Capture threads — read packets from the interface
- Decode threads — protocol parsing
- Stream engine — TCP reassembly
- Detect threads — rule matching (parallel across different flows)
- Output threads — alert and log writing
On 2010+ commodity multi-core hardware, Suricata sustains multi-gigabit throughput with full rule sets.
Snort compatibility
A strategic choice: Suricata uses the same rule format as Snort. Existing rule-sets (Emerging Threats, public Talos) run without modification. Organisations with Snort rule tuning investment can test Suricata without rewriting.
In later versions Suricata extends syntax with proprietary keywords (for protocol-specific detection, TLS/SSH/HTTP, Lua scripting).
Application layer detection
Suricata includes native parsers for application-layer protocols: HTTP, TLS, SMB, DNS, SSH, FTP, SMTP, modbus. This enables rules that not only match byte patterns but protocol semantics — e.g. “alert if TLS SNI contains suspicious domain”, “alert if HTTP Host header does not match TLS certificate”.
NSM — Network Security Monitoring
Beyond IDS/IPS, Suricata produces enriched metadata in EVE (Extensible Event Format) JSON: every HTTP, DNS, TLS, SSH flow generates structured records, even without alert. This enables Suricata use as Network Security Monitoring — telemetry collection for retrospective analysis, independent of signature-based detection.
Natural integration with ELK Stack (Elasticsearch, Logstash, Kibana), Splunk, Security Onion.
Institutional adoption
- US Department of Homeland Security — original sponsor, uses Suricata in federal infrastructure
- ESET, Trend Micro, CrowdStrike — integration in commercial products
- Cloud providers and MSSPs — distributed sensors
- SELKS (Stamus Networks) — turnkey distribution with Suricata + ELK
- Security Onion — network security monitoring distro including Suricata
In the Italian context
Suricata is adopted in:
- National and regional CERTs — public infrastructure monitoring
- ISPs — detection on backbone
- Universities and research centres — security teaching and research
- Italian MSSPs — managed IDS offering
Parallel forks like Snort 3 (2020) have reduced some Snort limitations, but Suricata retains leadership for high-throughput and NSM-centric scenarios.
References: Suricata 1.0 (27 July 2010). Open Information Security Foundation (OISF). GPL v2 licence. Original sponsors: US DHS, Navy, private. Snort rule format compatibility. EVE JSON output. ELK, Splunk, Security Onion integration.