Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware and kernel-bypass techniques.
The engine is distinguished by its Lua scripting extension system, which allows custom detection logic and output formatting to be embedded directly in rules and modules without recompiling the core. It maintains per-flow state tracking across multiple packets for context-aware analysis, and provides a hardware offload abstraction layer that delegates packet capture and pattern matching to supported network interface cards. A Unix socket control interface enables external processes to manage rules, retrieve statistics, and control the engine at runtime, while the entire engine can be embedded as a shared library within custom applications through its API.
Suricata supports both passive network monitoring and inline intrusion prevention, with the ability to read PCAP files for offline forensics and extract files from network streams for malware inspection. It offers structured JSON logging for integration with external log management tools, automatic log rotation, and the ability to profile rule processing times to identify performance bottlenecks. The engine can be configured through a hierarchical YAML file with include support, and provides tools for managing detection rules, migrating from Snort format, and upgrading between engine versions.
