awesome-awesomeness/html/suricata.html

<h1 id="awesome-suricata-awesome">Awesome Suricata <a
href="https://awesome.re"><img src="https://awesome.re/badge-flat2.svg"
alt="Awesome" /></a></h1>
<p><a
href="https://suricata.io"><img src="https://suricata.io/wp-content/uploads/2022/01/Logo-SuricataFinal-1-translucent.png" align="right" width="120"></a></p>
<blockquote>
<p>Curated list of awesome things related to Suricata.</p>
</blockquote>
<p><a href="https://suricata.io/features">Suricata</a> is a free
intrusion detection/prevention system (IDS/IPS) and network security
monitoring engine.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#input-tools">Input Tools</a></li>
<li><a href="#output-tools">Output Tools</a></li>
<li><a href="#operations-monitoring-and-troubleshooting">Operations,
Monitoring and Troubleshooting</a></li>
<li><a href="#programming-libraries-and-toolkits">Programming Libraries
and Toolkits</a></li>
<li><a href="#dashboards-and-templates">Dashboards and
Templates</a></li>
<li><a href="#development-tools">Development Tools</a></li>
<li><a href="#documentation-and-guides">Documentation and
Guides</a></li>
<li><a href="#analysis-tools">Analysis Tools</a></li>
<li><a href="#rule-sets">Rule Sets</a></li>
<li><a
href="#rulesecurity-content-management-and-handling">Rule/Security
Content Management and Handling</a></li>
<li><a href="#systems-using-suricata">Systems Using Suricata</a></li>
<li><a href="#training">Training</a></li>
<li><a href="#simulation-and-testing">Simulation and Testing</a></li>
<li><a href="#data-sets">Data Sets</a></li>
<li><a href="#misc">Misc</a></li>
</ul>
<h2 id="input-tools">Input Tools</h2>
<ul>
<li><a
href="https://github.com/deepfence/PacketStreamer">PacketStreamer</a> -
Distributed tcpdump for cloud native environments.</li>
</ul>
<h2 id="output-tools">Output Tools</h2>
<ul>
<li><a
href="https://github.com/Center-Sun/suricata-kafka-output">suricata-kafka-output</a>
- Suricata Eve Kafka Output Plugin for Suricata 6.</li>
<li><a
href="https://github.com/jasonish/suricata-redis-output">suricata-redis-output</a>
- Suricata Eve Redis Output Plugin for Suricata 7.</li>
<li><a href="https://github.com/quadrantsec/meer">Meer</a> - Meer is a
“spooler” for Suricata / Sagan.</li>
<li><a href="https://github.com/DCSO/fever">FEVER</a> - Fast,
extensible, versatile event router for Suricata’s EVE-JSON format.</li>
<li><a
href="https://github.com/pevma/Suricata-Logstash-Templates">Suricata-Logstash-Templates</a>
- Templates for Kibana/Logstash to use with Suricata IDPS.</li>
<li><a href="https://github.com/VVelox/Lilith">Lilith</a> - Reads EVE
files into SQL as well as search stored data.</li>
</ul>
<h2 id="operations-monitoring-and-troubleshooting">Operations,
Monitoring and Troubleshooting</h2>
<ul>
<li><a href="https://github.com/DCSO/slinkwatch">slinkwatch</a> -
Automatic enumeration and maintenance of Suricata monitoring
interfaces.</li>
<li><a href="https://github.com/regit/suri-stats">suri-stats</a> - A
tool to work on suricata <code>stats.log</code> file.</li>
<li><a href="https://github.com/DCSO/mauerspecht">Mauerspecht</a> -
Simple Probing Tool for Corporate Walled Garden Networks.</li>
<li><a
href="https://github.com/GitMirar/ansible-suricata">ansible-suricata</a>
- Suricata Ansible role (slightly outdated).</li>
<li><a
href="https://github.com/pevma/MassDeploySuricata">MassDeploySuricata</a>
- Mass deploy and update Suricata IDPS using Ansible IT automation
platform.</li>
<li><a
href="https://github.com/jasonish/docker-suricata">docker-suricata</a> -
Suricata Docker image.</li>
<li><a
href="https://github.com/VVelox/Suricata-Monitoring">Suricata-Monitoring</a>
- LibreNMS JSON / Nagios monitor for Suricata stats.</li>
<li><a
href="https://github.com/onetwopunch/terraform-google-suricata">Terraform
Module for Suricata</a> - Terraform module to setup Google Cloud packet
mirroring and send packets to Suricata.</li>
<li><a
href="https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata">InfluxDB
Suricata Input Plugin</a> - Input Plugin for Telegraf to collect and
forward Suricata <code>stats</code> logs (included out of the box in
recent Telegraf releases).</li>
<li><a
href="https://github.com/corelight/suricata_exporter">suricata_exporter</a>
- Simple Prometheus exporter written in Go exporting stats metrics
scraped from Suricata socket.</li>
</ul>
<h2 id="programming-libraries-and-toolkits">Programming Libraries and
Toolkits</h2>
<ul>
<li><a
href="https://github.com/jasonish/rust-suricatax-rule-parser">rust-suricatax-rule-parser</a>
- Experimental Suricata Rule Parser in Rust.</li>
<li><a href="https://github.com/ks2211/go-suricata">go-suricata</a> - Go
Client for Suricata (Interacting via Socket).</li>
<li><a href="https://github.com/google/gonids">gonids</a> - Go library
to parse intrusion detection rules for engines like Snort and
Suricata.</li>
<li><a href="https://github.com/rhaist/surevego">surevego</a> - Suricata
EVE-JSON parser in Go.</li>
<li><a
href="https://github.com/m-chrome/py-suricataparser">suricataparser</a>
- Pure python parser for Snort/Suricata rules.</li>
<li><a href="https://github.com/jasonish/py-idstools">py-idstools</a> -
Snort and Suricata Rule and Event Utilities in Python (Including a Rule
Update Tool).</li>
</ul>
<h2 id="dashboards-and-templates">Dashboards and Templates</h2>
<ul>
<li><a href="https://github.com/StamusNetworks/KTS">KTS</a> - Kibana 4
Templates for Suricata IDPS Threat Hunting.</li>
<li><a href="https://github.com/StamusNetworks/KTS5">KTS5</a> - Kibana 5
Templates for Suricata IDPS Threat Hunting.</li>
<li><a href="https://github.com/StamusNetworks/KTS6">KTS6</a> - Kibana 6
Templates for Suricata IDPS Threat Hunting.</li>
<li><a href="https://github.com/StamusNetworks/KTS7">KTS7</a> - Kibana 7
Templates for Suricata IDPS Threat Hunting.</li>
</ul>
<h2 id="development-tools">Development Tools</h2>
<ul>
<li><a
href="https://github.com/StamusNetworks/suricata-language-server">Suricata
Language Server</a> - Suricata Language Server is an implementation of
the Language Server Protocol for Suricata signatures. It adds syntax
check, hints and auto-completion to your preferred editor once it is
configured.</li>
<li><a
href="https://github.com/StamusNetworks/suricata-ls-vscode">suricata-ls-vscode</a>
- Suricata IntelliSense Extension using the Suricata Language
Server.</li>
<li><a
href="https://github.com/dgenzer/suricata-highlight-vscode">suricata-highlight-vscode</a>
- Suricata Rules Support for Visual Studio Code (syntax highlighting,
etc).</li>
<li><a
href="https://github.com/ozuriexv/SublimeSuricata">SublimeSuricata</a> -
Basic Suricata syntax highlighter for Sublime Text.</li>
</ul>
<h2 id="documentation-and-guides">Documentation and Guides</h2>
<ul>
<li><a href="https://github.com/pevma/SEPTun">SEPTun</a> - Suricata
Extreme Performance Tuning guide.</li>
<li><a href="https://github.com/pevma/SEPTun-Mark-II">SEPTun-Mark-II</a>
- Suricata Extreme Performance Tuning guide - Mark II.</li>
<li><a
href="https://github.com/StamusNetworks/suricata-4-analysts">suricata-4-analysts</a>
- The Security Analyst’s Guide to Suricata.</li>
</ul>
<h2 id="analysis-tools">Analysis Tools</h2>
<ul>
<li><a
href="https://github.com/StamusNetworks/suricata-analytics">Suricata
Analytics</a> - Various resources that are useful when interacting with
Suricata data.</li>
<li><a href="https://github.com/cisagov/Malcolm">Malcolm</a> - A
powerful, easily deployable network traffic analysis tool suite for full
packet capture artifacts (PCAP files), Zeek logs and Suricata
alerts.</li>
<li><a href="https://github.com/jasonish/evebox">Evebox</a> - Web Based
Event Viewer (GUI) for Suricata EVE Events in Elastic Search.</li>
</ul>
<h2 id="rule-sets">Rule Sets</h2>
<ul>
<li><a
href="https://github.com/klingerko/nids-rule-library#readme">nids-rule-library</a>
- Collection of various open-source and commercial rulesets.</li>
<li><a
href="https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata">Stamus
Lateral Movement Detection Rules</a> - Suricata ruleset to detect
lateral movement.</li>
<li><a href="https://github.com/quadrantsec/suricata-rules">QuadrantSec
Suricata Rules</a> - QuadrantSec Suricata rules.</li>
<li><a
href="https://github.com/Cluster25/detection">Cluster25/detection</a> -
Cluster25’s detection rules.</li>
<li>Networkforensic.dk (NF) rules sets:
<ul>
<li><a href="https://networkforensic.dk/SNORT/NF-local.zip">NF IDS
rules</a></li>
<li><a href="https://networkforensic.dk/SNORT/NF-SCADA.zip">NF SCADA IDS
Rules</a></li>
<li><a href="https://networkforensic.dk/SNORT/NF-Scanners.zip">NF
Scanners IDS Rules</a></li>
</ul></li>
<li><a
href="https://github.com/fox-it/quantuminsert/blob/master/detection/suricata/README.md">Quantum
Insert detection for Suricata</a> - Suricata rules accompanying Fox-IT’s
QUANTUM 2015 blog/BroCon talk.</li>
<li><a href="https://github.com/travisbgreen/hunting-rules">Hunting
rules</a> - Suricata IDS alert rules for network anomaly detection from
Travis Green.</li>
<li><a href="https://dtection.io/ruleset/3cs_lateral">3CORESec NIDS -
Lateral Movement</a> - Suricata ruleset focusing on lateral movement
techniques (paid).</li>
<li><a href="https://dtection.io/ruleset/3cs_sinkholes">3CORESec NIDS -
Sinkholes</a> - Suricata ruleset focused on a curated list of public
malware sinkholes (free).</li>
<li><a href="https://pawpatrules.fr">PAW Patrules</a> - Another free (CC
BY-NC-SA) collection of rules for the Suricata engine.</li>
</ul>
<h2 id="rulesecurity-content-management-and-handling">Rule/Security
Content Management and Handling</h2>
<ul>
<li><a href="https://sidallocation.org/">sidallocation.org</a> - Sid
Allocation working group, list of SID ranges.</li>
<li><a href="https://github.com/StamusNetworks/scirius">Scirius</a> -
Web application for Suricata ruleset management and threat hunting.</li>
<li><a href="https://github.com/sebdraven/IOCmite">IOCmite</a> - Tool to
create dataset for suricata with indicators of MISP instances and add
sightings in MISP if an indicator of dataset generates an alert.</li>
<li><a href="https://github.com/regit/luaevilbit">luaevilbit</a> - An
Evil bit implementation in luajit for Suricata.</li>
<li><a href="https://www.3coresec.com/solutions/lawmaker">Lawmaker</a> -
Suricata IDS rule and fleet management system.</li>
<li><a href="https://github.com/dgenzer/surify-cli">surify-cli</a> -
Generate suricata-rules from collection of IOCs (JSON, CSV or flags)
based on your suricata template.</li>
<li><a
href="https://github.com/theY4Kman/suricata-prettifier">suricata-prettifier</a>
- Command-line tool to format and syntax highlight Suricata rules.</li>
<li><a
href="https://github.com/AlienVault-OTX/OTX-Suricata">OTX-Suricata</a> -
Create rules and configuration for Suricata to alert on indicators from
an OTX account.</li>
<li><a href="https://github.com/secureworks/aristotle">Aristotle</a> -
Simple Python program that allows for the filtering and modifying of
Suricata and Snort rulesets based on interpreted key-value pairs present
in the metadata keyword within each rule.</li>
</ul>
<h2 id="systems-using-suricata">Systems Using Suricata</h2>
<ul>
<li><a href="https://github.com/StamusNetworks/SELKS">SELKS</a> - A
Suricata-based intrusion detection system/intrusion prevention
system/network security monitoring distribution.</li>
<li><a href="https://github.com/StamusNetworks/Amsterdam">Amsterdam</a>
- Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka
SELKS.</li>
<li><a href="https://www.pfsense.org">pfSense</a> - A free network
firewall distribution, based on the FreeBSD operating system with a
custom kernel and including third party free software packages for
additional functionality.</li>
<li><a href="https://opnsense.org">OPNsense</a> - An open source,
easy-to-use and easy-to-build FreeBSD based firewall and routing
platform.</li>
</ul>
<h2 id="training">Training</h2>
<ul>
<li><a
href="https://github.com/jasonish/experimental-suricata-training">Experimental
Suricata Training Environment</a> - Experimental Suricata Training
Environment.</li>
<li><a href="https://github.com/ccdcoe/CDMCS/tree/master">CDMCS</a> -
Cyber Defence Monitoring Course: Rule-based Threat Detection.</li>
</ul>
<h2 id="simulation-and-testing">Simulation and Testing</h2>
<ul>
<li><a href="https://github.com/WithSecureLabs/leonidas">Leonidas</a> -
Automated Attack Simulation in the Cloud, complete with detection use
cases.</li>
<li><a href="https://github.com/satta/speeve">speeve</a> - Fast,
probabilistic EVE-JSON generator for testing and benchmarking of
EVE-consuming applications.</li>
<li><a href="https://github.com/secureworks/dalton">Dalton</a> -
Suricata and Snort IDS rule and pcap testing system.</li>
</ul>
<h2 id="data-sets">Data Sets</h2>
<ul>
<li><a
href="https://github.com/FrankHassanabad/suricata-sample-data">suricata-sample-data</a>
- Repository of creating different example suricata data sets.</li>
</ul>
<h2 id="misc">Misc</h2>
<ul>
<li><a href="https://github.com/regit/suriwire">Suriwire</a> - Wireshark
plugin to display Suricata analysis info.</li>
<li><a href="https://github.com/isMTv/bash_cata">bash_cata</a> - A
simple script that processes the generated Suricata eve-log in real time
and, based on alerts, adds an ip-address to the MikroTik Address Lists
for a specified time for subsequent blocking.</li>
<li><a href="https://github.com/control-owl/suriGUI">suriGUI</a> - GUI
for Suricata + Qubes OS.</li>
</ul>