19 KiB
19 KiB
Awesome Suricata !Awesome (https://awesome.re/badge-flat2.svg) (https://awesome.re)
(https://suricata.io)
▐ Curated list of awesome things related to Suricata.
Suricata (https://suricata.io/features) is a free intrusion detection/prevention system (IDS/IPS) and network security monitoring engine.
Contents
- Input Tools (#input-tools)
- Output Tools (#output-tools)
- Operations, Monitoring and Troubleshooting (#operations-monitoring-and-troubleshooting)
- Programming Libraries and Toolkits (#programming-libraries-and-toolkits)
- Dashboards and Templates (#dashboards-and-templates)
- Development Tools (#development-tools)
- Documentation and Guides (#documentation-and-guides)
- Analysis Tools (#analysis-tools)
- Rule Sets (#rule-sets)
- Rule/Security Content Management and Handling (#rulesecurity-content-management-and-handling)
- Plugins and Extensions (#plugins-and-extensions)
- Systems Using Suricata (#systems-using-suricata)
- Training (#training)
- Simulation and Testing (#simulation-and-testing)
- Data Sets (#data-sets)
- Misc (#misc)
Input Tools
- PacketStreamer (https://github.com/deepfence/PacketStreamer) - Distributed tcpdump for cloud native environments.
Output Tools
- suricata-kafka-output (https://github.com/Center-Sun/suricata-kafka-output) - Suricata Eve Kafka Output Plugin for Suricata 6.
- suricata-redis-output (https://github.com/jasonish/suricata-redis-output) - Suricata Eve Redis Output Plugin for Suricata 7.
- Meer (https://github.com/quadrantsec/meer) - Meer is a "spooler" for Suricata / Sagan.
- FEVER (https://github.com/DCSO/fever) - Fast, extensible, versatile event router for Suricata's EVE-JSON format.
- Suricata-Logstash-Templates (https://github.com/pevma/Suricata-Logstash-Templates) - Templates for Kibana/Logstash to use with Suricata IDPS.
- Lilith (https://github.com/VVelox/Lilith) - Reads EVE files into SQL as well as search stored data.
Operations, Monitoring and Troubleshooting
- slinkwatch (https://github.com/DCSO/slinkwatch) - Automatic enumeration and maintenance of Suricata monitoring interfaces.
- suri-stats (https://github.com/regit/suri-stats) - A tool to work on suricata stats.log file.
- Mauerspecht (https://github.com/DCSO/mauerspecht) - Simple Probing Tool for Corporate Walled Garden Networks.
- ansible-suricata (https://github.com/GitMirar/ansible-suricata) - Suricata Ansible role (slightly outdated).
- MassDeploySuricata (https://github.com/pevma/MassDeploySuricata) - Mass deploy and update Suricata IDPS using Ansible IT automation platform.
- docker-suricata (https://github.com/jasonish/docker-suricata) - Suricata Docker image.
- Suricata-Monitoring (https://github.com/VVelox/Suricata-Monitoring) - LibreNMS JSON / Nagios monitor for Suricata stats.
- Terraform Module for Suricata (https://github.com/onetwopunch/terraform-google-suricata) - Terraform module to setup Google Cloud packet mirroring and send packets to Suricata.
- InfluxDB Suricata Input Plugin (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata) - Input Plugin for Telegraf to collect and forward Suricata stats logs (included out of the box in recent Telegraf releases).
- suricata_exporter (https://github.com/corelight/suricata_exporter) - Simple Prometheus exporter written in Go exporting stats metrics scraped from Suricata socket.
Programming Libraries and Toolkits
- rust-suricatax-rule-parser (https://github.com/jasonish/rust-suricatax-rule-parser) - Experimental Suricata Rule Parser in Rust.
- go-suricata (https://github.com/ks2211/go-suricata) - Go Client for Suricata (Interacting via Socket).
- gonids (https://github.com/google/gonids) - Go library to parse intrusion detection rules for engines like Snort and Suricata.
- surevego (https://github.com/rhaist/surevego) - Suricata EVE-JSON parser in Go.
- suricataparser (https://github.com/m-chrome/py-suricataparser) - Pure python parser for Snort/Suricata rules.
- py-idstools (https://github.com/jasonish/py-idstools) - Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool).
Dashboards and Templates
- KTS (https://github.com/StamusNetworks/KTS) - Kibana 4 Templates for Suricata IDPS Threat Hunting.
- KTS5 (https://github.com/StamusNetworks/KTS5) - Kibana 5 Templates for Suricata IDPS Threat Hunting.
- KTS6 (https://github.com/StamusNetworks/KTS6) - Kibana 6 Templates for Suricata IDPS Threat Hunting.
- KTS7 (https://github.com/StamusNetworks/KTS7) - Kibana 7 Templates for Suricata IDPS Threat Hunting.
Development Tools
- Suricata Language Server (https://github.com/StamusNetworks/suricata-language-server) - Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to
your preferred editor once it is configured.
- suricata-ls-vscode (https://github.com/StamusNetworks/suricata-ls-vscode) - Suricata IntelliSense Extension using the Suricata Language Server.
- suricata-highlight-vscode (https://github.com/dgenzer/suricata-highlight-vscode) - Suricata Rules Support for Visual Studio Code (syntax highlighting, etc).
- SublimeSuricata (https://github.com/ozuriexv/SublimeSuricata) - Basic Suricata syntax highlighter for Sublime Text.
- Suricata-Check (https://suricata-check.teuwen.net/readme.html) - suricata-check is a command-line utility to provide feedback on Suricata rules. It can detect issues such as covering syntax validity, interpretability, rule specificity, rule
coverage, and efficiency.
Documentation and Guides
- SEPTun (https://github.com/pevma/SEPTun) - Suricata Extreme Performance Tuning guide.
- SEPTun-Mark-II (https://github.com/pevma/SEPTun-Mark-II) - Suricata Extreme Performance Tuning guide - Mark II.
- suricata-4-analysts (https://github.com/StamusNetworks/suricata-4-analysts) - The Security Analyst's Guide to Suricata.
- Suricata Community Style Guide (https://github.com/sidallocation/suricata-style-guide) - A collaborative document to collect style guidelines from the community of rule writers.
Analysis Tools
- Suricata Analytics (https://github.com/StamusNetworks/suricata-analytics) - Various resources that are useful when interacting with Suricata data.
- Malcolm (https://github.com/cisagov/Malcolm) - A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
- Evebox (https://github.com/jasonish/evebox) - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.
Rule Sets
- nids-rule-library (https://github.com/klingerko/nids-rule-library#readme) - Collection of various open-source and commercial rulesets.
- Stamus Lateral Movement Detection Rules (https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata) - Suricata ruleset to detect lateral movement.
- QuadrantSec Suricata Rules (https://github.com/quadrantsec/suricata-rules) - QuadrantSec Suricata rules.
- Cluster25/detection (https://github.com/Cluster25/detection) - Cluster25's detection rules.
- Networkforensic.dk (NF) rules sets:
- NF IDS rules (https://networkforensic.dk/SNORT/NF-local.zip)
- NF SCADA IDS Rules (https://networkforensic.dk/SNORT/NF-SCADA.zip)
- NF Scanners IDS Rules (https://networkforensic.dk/SNORT/NF-Scanners.zip)
- Quantum Insert detection for Suricata (https://github.com/fox-it/quantuminsert/blob/master/detection/suricata/README.md) - Suricata rules accompanying Fox-IT's QUANTUM 2015 blog/BroCon talk.
- Hunting rules (https://github.com/travisbgreen/hunting-rules) - Suricata IDS alert rules for network anomaly detection from Travis Green.
- 3CORESec NIDS - Lateral Movement (https://dtection.io/ruleset/3cs_lateral) - Suricata ruleset focusing on lateral movement techniques (paid).
- 3CORESec NIDS - Sinkholes (https://dtection.io/ruleset/3cs_sinkholes) - Suricata ruleset focused on a curated list of public malware sinkholes (free).
- PAW Patrules (https://pawpatrules.fr) - Another free (CC BY-NC-SA) collection of rules for the Suricata engine.
- opnsense-suricata-nmaps (https://github.com/aleksibovellan/opnsense-suricata-nmaps) - OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans.
- Antiphishing (https://github.com/julioliraup/Antiphishing) - Suricata rules and datasets to detect phishing attacks.
Rule/Security Content Management and Handling
- sidallocation.org (https://sidallocation.org/) - Sid Allocation working group, list of SID ranges.
- Scirius (https://github.com/StamusNetworks/scirius) - Web application for Suricata ruleset management and threat hunting.
- IOCmite (https://github.com/sebdraven/IOCmite) - Tool to create dataset for suricata with indicators of MISP instances and add sightings in MISP if an indicator of dataset generates an alert.
- luaevilbit (https://github.com/regit/luaevilbit) - An Evil bit implementation in luajit for Suricata.
- Lawmaker (https://www.3coresec.com/solutions/lawmaker) - Suricata IDS rule and fleet management system.
- surify-cli (https://github.com/dgenzer/surify-cli) - Generate suricata-rules from collection of IOCs (JSON, CSV or flags) based on your suricata template.
- suricata-prettifier (https://github.com/theY4Kman/suricata-prettifier) - Command-line tool to format and syntax highlight Suricata rules.
- OTX-Suricata (https://github.com/AlienVault-OTX/OTX-Suricata) - Create rules and configuration for Suricata to alert on indicators from an OTX account.
- Aristotle (https://github.com/secureworks/aristotle) - Simple Python program that allows for the filtering and modifying of Suricata and Snort rulesets based on interpreted key-value pairs present in the metadata keyword within each rule.
Plugins and Extensions
- suricata-zabbix (https://github.com/catenacyber/suricata-zabbix) - Zabbix application layer plugin for Suricata.
Systems Using Suricata
- SELKS (https://github.com/StamusNetworks/SELKS) - A Suricata-based intrusion detection system/intrusion prevention system/network security monitoring distribution.
- Amsterdam (https://github.com/StamusNetworks/Amsterdam) - Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.
- pfSense (https://www.pfsense.org) - A free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
- OPNsense (https://opnsense.org) - An open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
Training
- Experimental Suricata Training Environment (https://github.com/jasonish/experimental-suricata-training) - Experimental Suricata Training Environment.
- CDMCS (https://github.com/ccdcoe/CDMCS/tree/master) - Cyber Defence Monitoring Course: Rule-based Threat Detection.
Simulation and Testing
- Leonidas (https://github.com/WithSecureLabs/leonidas) - Automated Attack Simulation in the Cloud, complete with detection use cases.
- speeve (https://github.com/satta/speeve) - Fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications.
- Dalton (https://github.com/secureworks/dalton) - Suricata and Snort IDS rule and pcap testing system.
Data Sets
- suricata-sample-data (https://github.com/FrankHassanabad/suricata-sample-data) - Repository of creating different example suricata data sets.
Misc
- Suriwire (https://github.com/regit/suriwire) - Wireshark plugin to display Suricata analysis info.
- bash_cata (https://github.com/isMTv/bash_cata) - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
- suriGUI (https://github.com/control-owl/suriGUI) - GUI for Suricata + Qubes OS.
- SuriGuard (https://github.com/SEc-123/SuriGuard1) - Web-based management system for Suricata IDS/IPS, featuring advanced analytics and visualization capabilities.
suricata Github: https://github.com/satta/awesome-suricata
(https://suricata.io)
▐ Curated list of awesome things related to Suricata.
Suricata (https://suricata.io/features) is a free intrusion detection/prevention system (IDS/IPS) and network security monitoring engine.
Contents
- Input Tools (#input-tools)
- Output Tools (#output-tools)
- Operations, Monitoring and Troubleshooting (#operations-monitoring-and-troubleshooting)
- Programming Libraries and Toolkits (#programming-libraries-and-toolkits)
- Dashboards and Templates (#dashboards-and-templates)
- Development Tools (#development-tools)
- Documentation and Guides (#documentation-and-guides)
- Analysis Tools (#analysis-tools)
- Rule Sets (#rule-sets)
- Rule/Security Content Management and Handling (#rulesecurity-content-management-and-handling)
- Plugins and Extensions (#plugins-and-extensions)
- Systems Using Suricata (#systems-using-suricata)
- Training (#training)
- Simulation and Testing (#simulation-and-testing)
- Data Sets (#data-sets)
- Misc (#misc)
Input Tools
- PacketStreamer (https://github.com/deepfence/PacketStreamer) - Distributed tcpdump for cloud native environments.
Output Tools
- suricata-kafka-output (https://github.com/Center-Sun/suricata-kafka-output) - Suricata Eve Kafka Output Plugin for Suricata 6.
- suricata-redis-output (https://github.com/jasonish/suricata-redis-output) - Suricata Eve Redis Output Plugin for Suricata 7.
- Meer (https://github.com/quadrantsec/meer) - Meer is a "spooler" for Suricata / Sagan.
- FEVER (https://github.com/DCSO/fever) - Fast, extensible, versatile event router for Suricata's EVE-JSON format.
- Suricata-Logstash-Templates (https://github.com/pevma/Suricata-Logstash-Templates) - Templates for Kibana/Logstash to use with Suricata IDPS.
- Lilith (https://github.com/VVelox/Lilith) - Reads EVE files into SQL as well as search stored data.
Operations, Monitoring and Troubleshooting
- slinkwatch (https://github.com/DCSO/slinkwatch) - Automatic enumeration and maintenance of Suricata monitoring interfaces.
- suri-stats (https://github.com/regit/suri-stats) - A tool to work on suricata stats.log file.
- Mauerspecht (https://github.com/DCSO/mauerspecht) - Simple Probing Tool for Corporate Walled Garden Networks.
- ansible-suricata (https://github.com/GitMirar/ansible-suricata) - Suricata Ansible role (slightly outdated).
- MassDeploySuricata (https://github.com/pevma/MassDeploySuricata) - Mass deploy and update Suricata IDPS using Ansible IT automation platform.
- docker-suricata (https://github.com/jasonish/docker-suricata) - Suricata Docker image.
- Suricata-Monitoring (https://github.com/VVelox/Suricata-Monitoring) - LibreNMS JSON / Nagios monitor for Suricata stats.
- Terraform Module for Suricata (https://github.com/onetwopunch/terraform-google-suricata) - Terraform module to setup Google Cloud packet mirroring and send packets to Suricata.
- InfluxDB Suricata Input Plugin (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata) - Input Plugin for Telegraf to collect and forward Suricata stats logs (included out of the box in recent Telegraf releases).
- suricata_exporter (https://github.com/corelight/suricata_exporter) - Simple Prometheus exporter written in Go exporting stats metrics scraped from Suricata socket.
Programming Libraries and Toolkits
- rust-suricatax-rule-parser (https://github.com/jasonish/rust-suricatax-rule-parser) - Experimental Suricata Rule Parser in Rust.
- go-suricata (https://github.com/ks2211/go-suricata) - Go Client for Suricata (Interacting via Socket).
- gonids (https://github.com/google/gonids) - Go library to parse intrusion detection rules for engines like Snort and Suricata.
- surevego (https://github.com/rhaist/surevego) - Suricata EVE-JSON parser in Go.
- suricataparser (https://github.com/m-chrome/py-suricataparser) - Pure python parser for Snort/Suricata rules.
- py-idstools (https://github.com/jasonish/py-idstools) - Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool).
Dashboards and Templates
- KTS (https://github.com/StamusNetworks/KTS) - Kibana 4 Templates for Suricata IDPS Threat Hunting.
- KTS5 (https://github.com/StamusNetworks/KTS5) - Kibana 5 Templates for Suricata IDPS Threat Hunting.
- KTS6 (https://github.com/StamusNetworks/KTS6) - Kibana 6 Templates for Suricata IDPS Threat Hunting.
- KTS7 (https://github.com/StamusNetworks/KTS7) - Kibana 7 Templates for Suricata IDPS Threat Hunting.
Development Tools
- Suricata Language Server (https://github.com/StamusNetworks/suricata-language-server) - Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to
your preferred editor once it is configured.
- suricata-ls-vscode (https://github.com/StamusNetworks/suricata-ls-vscode) - Suricata IntelliSense Extension using the Suricata Language Server.
- suricata-highlight-vscode (https://github.com/dgenzer/suricata-highlight-vscode) - Suricata Rules Support for Visual Studio Code (syntax highlighting, etc).
- SublimeSuricata (https://github.com/ozuriexv/SublimeSuricata) - Basic Suricata syntax highlighter for Sublime Text.
- Suricata-Check (https://suricata-check.teuwen.net/readme.html) - suricata-check is a command-line utility to provide feedback on Suricata rules. It can detect issues such as covering syntax validity, interpretability, rule specificity, rule
coverage, and efficiency.
Documentation and Guides
- SEPTun (https://github.com/pevma/SEPTun) - Suricata Extreme Performance Tuning guide.
- SEPTun-Mark-II (https://github.com/pevma/SEPTun-Mark-II) - Suricata Extreme Performance Tuning guide - Mark II.
- suricata-4-analysts (https://github.com/StamusNetworks/suricata-4-analysts) - The Security Analyst's Guide to Suricata.
- Suricata Community Style Guide (https://github.com/sidallocation/suricata-style-guide) - A collaborative document to collect style guidelines from the community of rule writers.
Analysis Tools
- Suricata Analytics (https://github.com/StamusNetworks/suricata-analytics) - Various resources that are useful when interacting with Suricata data.
- Malcolm (https://github.com/cisagov/Malcolm) - A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
- Evebox (https://github.com/jasonish/evebox) - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.
Rule Sets
- nids-rule-library (https://github.com/klingerko/nids-rule-library#readme) - Collection of various open-source and commercial rulesets.
- Stamus Lateral Movement Detection Rules (https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata) - Suricata ruleset to detect lateral movement.
- QuadrantSec Suricata Rules (https://github.com/quadrantsec/suricata-rules) - QuadrantSec Suricata rules.
- Cluster25/detection (https://github.com/Cluster25/detection) - Cluster25's detection rules.
- Networkforensic.dk (NF) rules sets:
- NF IDS rules (https://networkforensic.dk/SNORT/NF-local.zip)
- NF SCADA IDS Rules (https://networkforensic.dk/SNORT/NF-SCADA.zip)
- NF Scanners IDS Rules (https://networkforensic.dk/SNORT/NF-Scanners.zip)
- Quantum Insert detection for Suricata (https://github.com/fox-it/quantuminsert/blob/master/detection/suricata/README.md) - Suricata rules accompanying Fox-IT's QUANTUM 2015 blog/BroCon talk.
- Hunting rules (https://github.com/travisbgreen/hunting-rules) - Suricata IDS alert rules for network anomaly detection from Travis Green.
- 3CORESec NIDS - Lateral Movement (https://dtection.io/ruleset/3cs_lateral) - Suricata ruleset focusing on lateral movement techniques (paid).
- 3CORESec NIDS - Sinkholes (https://dtection.io/ruleset/3cs_sinkholes) - Suricata ruleset focused on a curated list of public malware sinkholes (free).
- PAW Patrules (https://pawpatrules.fr) - Another free (CC BY-NC-SA) collection of rules for the Suricata engine.
- opnsense-suricata-nmaps (https://github.com/aleksibovellan/opnsense-suricata-nmaps) - OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans.
- Antiphishing (https://github.com/julioliraup/Antiphishing) - Suricata rules and datasets to detect phishing attacks.
Rule/Security Content Management and Handling
- sidallocation.org (https://sidallocation.org/) - Sid Allocation working group, list of SID ranges.
- Scirius (https://github.com/StamusNetworks/scirius) - Web application for Suricata ruleset management and threat hunting.
- IOCmite (https://github.com/sebdraven/IOCmite) - Tool to create dataset for suricata with indicators of MISP instances and add sightings in MISP if an indicator of dataset generates an alert.
- luaevilbit (https://github.com/regit/luaevilbit) - An Evil bit implementation in luajit for Suricata.
- Lawmaker (https://www.3coresec.com/solutions/lawmaker) - Suricata IDS rule and fleet management system.
- surify-cli (https://github.com/dgenzer/surify-cli) - Generate suricata-rules from collection of IOCs (JSON, CSV or flags) based on your suricata template.
- suricata-prettifier (https://github.com/theY4Kman/suricata-prettifier) - Command-line tool to format and syntax highlight Suricata rules.
- OTX-Suricata (https://github.com/AlienVault-OTX/OTX-Suricata) - Create rules and configuration for Suricata to alert on indicators from an OTX account.
- Aristotle (https://github.com/secureworks/aristotle) - Simple Python program that allows for the filtering and modifying of Suricata and Snort rulesets based on interpreted key-value pairs present in the metadata keyword within each rule.
Plugins and Extensions
- suricata-zabbix (https://github.com/catenacyber/suricata-zabbix) - Zabbix application layer plugin for Suricata.
Systems Using Suricata
- SELKS (https://github.com/StamusNetworks/SELKS) - A Suricata-based intrusion detection system/intrusion prevention system/network security monitoring distribution.
- Amsterdam (https://github.com/StamusNetworks/Amsterdam) - Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.
- pfSense (https://www.pfsense.org) - A free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
- OPNsense (https://opnsense.org) - An open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
Training
- Experimental Suricata Training Environment (https://github.com/jasonish/experimental-suricata-training) - Experimental Suricata Training Environment.
- CDMCS (https://github.com/ccdcoe/CDMCS/tree/master) - Cyber Defence Monitoring Course: Rule-based Threat Detection.
Simulation and Testing
- Leonidas (https://github.com/WithSecureLabs/leonidas) - Automated Attack Simulation in the Cloud, complete with detection use cases.
- speeve (https://github.com/satta/speeve) - Fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications.
- Dalton (https://github.com/secureworks/dalton) - Suricata and Snort IDS rule and pcap testing system.
Data Sets
- suricata-sample-data (https://github.com/FrankHassanabad/suricata-sample-data) - Repository of creating different example suricata data sets.
Misc
- Suriwire (https://github.com/regit/suriwire) - Wireshark plugin to display Suricata analysis info.
- bash_cata (https://github.com/isMTv/bash_cata) - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
- suriGUI (https://github.com/control-owl/suriGUI) - GUI for Suricata + Qubes OS.
- SuriGuard (https://github.com/SEc-123/SuriGuard1) - Web-based management system for Suricata IDS/IPS, featuring advanced analytics and visualization capabilities.
suricata Github: https://github.com/satta/awesome-suricata