Awesome Suricata

Curated list of awesome things related to Suricata.

Suricata is a free intrusion detection/prevention system (IDS/IPS) and network security monitoring engine.

Contents

• Input Tools
• Output Tools
• Operations, Monitoring and Troubleshooting
• Programming Libraries and Toolkits
• Dashboards and Templates
• Development Tools
• Documentation and Guides
• Analysis Tools
• Rule Sets
• Rule/Security Content Management and Handling
• Plugins and Extensions
• Systems Using Suricata
• Training
• Simulation and Testing
• Data Sets
• Misc

Input Tools

• PacketStreamer - Distributed tcpdump for cloud native environments.

Output Tools

• suricata-kafka-output - Suricata Eve Kafka Output Plugin for Suricata 6.
• suricata-redis-output - Suricata Eve Redis Output Plugin for Suricata 7.
• Meer - Meer is a “spooler” for Suricata / Sagan.
• FEVER - Fast, extensible, versatile event router for Suricata’s EVE-JSON format.
• Suricata-Logstash-Templates - Templates for Kibana/Logstash to use with Suricata IDPS.
• Lilith - Reads EVE files into SQL as well as search stored data.

Operations, Monitoring and Troubleshooting

• slinkwatch - Automatic enumeration and maintenance of Suricata monitoring interfaces.
• suri-stats - A tool to work on suricata stats.log file.
• Mauerspecht - Simple Probing Tool for Corporate Walled Garden Networks.
• ansible-suricata - Suricata Ansible role (slightly outdated).
• MassDeploySuricata - Mass deploy and update Suricata IDPS using Ansible IT automation platform.
• docker-suricata - Suricata Docker image.
• Suricata-Monitoring - LibreNMS JSON / Nagios monitor for Suricata stats.
• Terraform Module for Suricata - Terraform module to setup Google Cloud packet mirroring and send packets to Suricata.
• InfluxDB Suricata Input Plugin - Input Plugin for Telegraf to collect and forward Suricata stats logs (included out of the box in recent Telegraf releases).
• suricata_exporter - Simple Prometheus exporter written in Go exporting stats metrics scraped from Suricata socket.

Programming Libraries and Toolkits

• rust-suricatax-rule-parser - Experimental Suricata Rule Parser in Rust.
• go-suricata - Go Client for Suricata (Interacting via Socket).
• gonids - Go library to parse intrusion detection rules for engines like Snort and Suricata.
• surevego - Suricata EVE-JSON parser in Go.
• suricataparser - Pure python parser for Snort/Suricata rules.
• py-idstools - Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool).

Dashboards and Templates

• KTS - Kibana 4 Templates for Suricata IDPS Threat Hunting.
• KTS5 - Kibana 5 Templates for Suricata IDPS Threat Hunting.
• KTS6 - Kibana 6 Templates for Suricata IDPS Threat Hunting.
• KTS7 - Kibana 7 Templates for Suricata IDPS Threat Hunting.

Development Tools

• Suricata Language Server - Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.
• suricata-ls-vscode - Suricata IntelliSense Extension using the Suricata Language Server.
• suricata-highlight-vscode - Suricata Rules Support for Visual Studio Code (syntax highlighting, etc).
• SublimeSuricata - Basic Suricata syntax highlighter for Sublime Text.
• Suricata-Check - suricata-check is a command-line utility to provide feedback on Suricata rules. It can detect issues such as covering syntax validity, interpretability, rule specificity, rule coverage, and efficiency.

Documentation and Guides

• SEPTun - Suricata Extreme Performance Tuning guide.
• SEPTun-Mark-II - Suricata Extreme Performance Tuning guide - Mark II.
• suricata-4-analysts - The Security Analyst’s Guide to Suricata.
• Suricata Community Style Guide - A collaborative document to collect style guidelines from the community of rule writers.

Analysis Tools

• Suricata Analytics - Various resources that are useful when interacting with Suricata data.
• Malcolm - A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
• Evebox - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.

Rule Sets

• nids-rule-library - Collection of various open-source and commercial rulesets.
• Stamus Lateral Movement Detection Rules - Suricata ruleset to detect lateral movement.
• QuadrantSec Suricata Rules - QuadrantSec Suricata rules.
• Cluster25/detection - Cluster25’s detection rules.
• Networkforensic.dk (NF) rules sets:
  • NF IDS rules
  • NF SCADA IDS Rules
  • NF Scanners IDS Rules
• Quantum Insert detection for Suricata - Suricata rules accompanying Fox-IT’s QUANTUM 2015 blog/BroCon talk.
• Hunting rules - Suricata IDS alert rules for network anomaly detection from Travis Green.
• 3CORESec NIDS - Lateral Movement - Suricata ruleset focusing on lateral movement techniques (paid).
• 3CORESec NIDS - Sinkholes - Suricata ruleset focused on a curated list of public malware sinkholes (free).
• PAW Patrules - Another free (CC BY-NC-SA) collection of rules for the Suricata engine.
• opnsense-suricata-nmaps - OPNSense’s Suricata IDS/IPS Detection Rules Against NMAP Scans.
• Antiphishing - Suricata rules and datasets to detect phishing attacks.

Rule/Security Content Management and Handling

• sidallocation.org - Sid Allocation working group, list of SID ranges.
• Scirius - Web application for Suricata ruleset management and threat hunting.
• IOCmite - Tool to create dataset for suricata with indicators of MISP instances and add sightings in MISP if an indicator of dataset generates an alert.
• luaevilbit - An Evil bit implementation in luajit for Suricata.
• Lawmaker - Suricata IDS rule and fleet management system.
• surify-cli - Generate suricata-rules from collection of IOCs (JSON, CSV or flags) based on your suricata template.
• suricata-prettifier - Command-line tool to format and syntax highlight Suricata rules.
• OTX-Suricata - Create rules and configuration for Suricata to alert on indicators from an OTX account.
• Aristotle - Simple Python program that allows for the filtering and modifying of Suricata and Snort rulesets based on interpreted key-value pairs present in the metadata keyword within each rule.

Plugins and Extensions

• suricata-zabbix - Zabbix application layer plugin for Suricata.

Systems Using Suricata

• SELKS - A Suricata-based intrusion detection system/intrusion prevention system/network security monitoring distribution.
• Amsterdam - Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.
• pfSense - A free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
• OPNsense - An open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.

Training

• Experimental Suricata Training Environment - Experimental Suricata Training Environment.
• CDMCS - Cyber Defence Monitoring Course: Rule-based Threat Detection.

Simulation and Testing

• Leonidas - Automated Attack Simulation in the Cloud, complete with detection use cases.
• speeve - Fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications.
• Dalton - Suricata and Snort IDS rule and pcap testing system.

Data Sets

• suricata-sample-data - Repository of creating different example suricata data sets.

Misc

• Suriwire - Wireshark plugin to display Suricata analysis info.
• bash_cata - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
• suriGUI - GUI for Suricata + Qubes OS.
• SuriGuard - Web-based management system for Suricata IDS/IPS, featuring advanced analytics and visualization capabilities.

suricata.md Github