Suricata 4.0.1

Suricata is an intrusion detection system that monitors the network traffic and alerts the user when suspicious activity is detected. Suricata is a robust network threat detection engine capable of real-time intrusion detection.

Dependencies required
For the program to work the user needs to download and install WinPcap, a tool that allows capturing and transmitting network packets bypassing the protocol stack.

The installation process for all the components required for the program to work is quite complicated, which makes it unsuitable even for the average user. Full instructions can be found on this page.

The engine of the application uses an HTTP normalizer that allows advanced processing of HTTP streams.

Functionality and configuration
Suricata works by inspecting traffic based on a set of rules. These can be downloaded from external sources although a small number is available in the installation folder of the product (they may not be activated by default).

The available documentation points to the online repositories but for a customized experience users can write them themselves.

If none of the above is represents an issue than configuring the IDS is also doable. The file is “suricata.yaml” and contains various options, from defining the amount of packets that can be processed at the same time, selecting the runmode that should be used by the engine to enabling it to run as as user in a group.

Additionally, it can be configured to run as a pure sniffer if placed on devices such as routers. The alert types are also configurable and there are extensive options for this as well as for event logging.

Conclusion
Suricata is designed to be used by security engineers for implementation on various network hardware such as routers, to alert of intrusion attempts.

It benefits from multi-threaded architecture and supports multi-core and multi-processor environments, thus providing increased speed and efficiency in the traffic analysis process.