# oisf/suricata **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/oisf-suricata).** 6,008 stars · 1,664 forks · C · gpl-2.0 ## Links - GitHub: https://github.com/OISF/suricata - Homepage: https://suricata.io - awesome-repositories: https://awesome-repositories.com/repository/oisf-suricata.md ## Topics `cybersecurity` `ids` `intrusion-detection-system` `intrusion-prevention-system` `ips` `network-monitor` `network-monitoring` `nsm` `security` `suricata` `threat-hunting` ## Description Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware and kernel-bypass techniques. The engine is distinguished by its Lua scripting extension system, which allows custom detection logic and output formatting to be embedded directly in rules and modules without recompiling the core. It maintains per-flow state tracking across multiple packets for context-aware analysis, and provides a hardware offload abstraction layer that delegates packet capture and pattern matching to supported network interface cards. A Unix socket control interface enables external processes to manage rules, retrieve statistics, and control the engine at runtime, while the entire engine can be embedded as a shared library within custom applications through its API. Suricata supports both passive network monitoring and inline intrusion prevention, with the ability to read PCAP files for offline forensics and extract files from network streams for malware inspection. It offers structured JSON logging for integration with external log management tools, automatic log rotation, and the ability to profile rule processing times to identify performance bottlenecks. The engine can be configured through a hierarchical YAML file with include support, and provides tools for managing detection rules, migrating from Snort format, and upgrading between engine versions. ## Tags ### Part of an Awesome List - [Traffic Capture Frameworks](https://awesome-repositories.com/f/awesome-lists/devtools/traffic-capture-frameworks.md) — Captures raw network packets from live interfaces or offline pcap files for real-time analysis. ([source](https://docs.suricata.io/performance/packet-capture.html)) - [HTTP URI Component Inspectors](https://awesome-repositories.com/f/awesome-lists/data/http-traffic-analysis/http-uri-component-inspectors.md) — Matches individual parts of the HTTP URI, such as path, query string, or hostname, for threat detection. ([source](https://docs.suricata.io/rules/http-keywords.html)) - [File Extraction Tools](https://awesome-repositories.com/f/awesome-lists/security/file-extraction-tools.md) — Reassembles and saves files transferred over monitored protocols for offline analysis and malware inspection. ([source](https://docs.suricata.io)) - [SSH Anomaly Detectors](https://awesome-repositories.com/f/awesome-lists/security/ssh-honeypots/ssh-brute-force-mitigation/ssh-anomaly-detectors.md) — Inspects SSH protocol fields to detect brute-force attacks and other malicious activity through anomaly detection. ([source](https://docs.suricata.io/rules/ssh-keywords.html)) ### Security & Cryptography - [Network Intrusion Detection](https://awesome-repositories.com/f/security-cryptography/security/operations-and-incident-response/network-intrusion-detection.md) — An open-source engine that analyzes network traffic in real-time to detect and alert on malicious activity using signature-based rules. - [HTTP Response Header Inspectors](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/web-security/http-header-analyzers/http-response-header-inspectors.md) — Matches HTTP response header fields against detection rules to identify suspicious server behavior or content. ([source](https://docs.suricata.io/rules/http-keywords.html)) - [Custom Detection Rules](https://awesome-repositories.com/f/security-cryptography/custom-detection-rules.md) — Provides a framework for writing and integrating user-defined detection rules and Lua scripts to identify specific threats or anomalies. - [Lua Detection Rules](https://awesome-repositories.com/f/security-cryptography/custom-detection-rules/lua-detection-rules.md) — Writes detection rules using Lua scripting to inspect packet payloads and match custom patterns. ([source](https://docs.suricata.io/rules/lua-detection.html)) - [Intrusion Prevention Systems](https://awesome-repositories.com/f/security-cryptography/intrusion-prevention-systems.md) — Places the engine inline on network paths to drop or reject malicious packets in real-time. - [Inline Blocking Modes](https://awesome-repositories.com/f/security-cryptography/ip-blacklisting/inline-blocking-modes.md) — Injects drop decisions inline with traffic flow to actively block malicious packets before they reach the target. ([source](https://docs.suricata.io/quickstart.html)) - [IP Reputation Scoring](https://awesome-repositories.com/f/security-cryptography/ip-reputation-scoring.md) — Checks source and destination IP addresses against a user-defined blacklist or whitelist to classify traffic as trusted or malicious. ([source](https://docs.suricata.io/reputation/ipreputation/ip-reputation.html)) - [Network Security](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/network-security.md) — Analyzes network packets in real-time to detect and block malicious activity, protecting infrastructure from threats. ([source](https://docs.suricata.io/security.html)) - [Network Security Configuration](https://awesome-repositories.com/f/security-cryptography/network-security-configuration.md) — Configures operational parameters including network interfaces, logging, and rule paths for intrusion detection. ([source](https://docs.suricata.io/configuration/index.html)) - [Network Security Monitors](https://awesome-repositories.com/f/security-cryptography/network-security-monitors.md) — Provides real-time network traffic analysis and alerting on suspicious events using signature-based detection rules. ([source](https://docs.suricata.io/_sources/index.rst.txt)) - [Signature-Based Threat Detectors](https://awesome-repositories.com/f/security-cryptography/threat-detection/signature-based-threat-detectors.md) — Matches network traffic against user-defined signatures and datasets to identify known attack patterns and policy violations. - [TLS Inspection Tools](https://awesome-repositories.com/f/security-cryptography/tls-inspection-tools.md) — Examines TLS handshake attributes like version, cipher suite, and SNI to detect anomalies or policy violations. ([source](https://docs.suricata.io/rules/tls-keywords.html)) - [SMTP Traffic Inspections](https://awesome-repositories.com/f/security-cryptography/traffic-inspection-tools/smtp-traffic-inspections.md) — Examines email messages for malicious attachments, phishing attempts, and spam patterns. ([source](https://docs.suricata.io/rules/smtp-keywords.html)) - [Traffic Isolation](https://awesome-repositories.com/f/security-cryptography/account-management/traffic-isolation.md) — Separates network traffic into distinct tenant contexts so rules and configurations apply only to the designated segment. ([source](https://docs.suricata.io/configuration/multi-tenant.html)) - [TLS Certificate Field Validators](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management/tls-certificate-field-validators.md) — Checks SSL/TLS certificate fields such as issuer, subject, and validity against defined patterns to enforce security policies. ([source](https://docs.suricata.io/rules/tls-keywords.html)) - [Rule Exception Definitions](https://awesome-repositories.com/f/security-cryptography/custom-detection-rules/rule-definition-shortcuts/rule-exception-definitions.md) — Defines custom actions for packets that trigger rule violations, overriding default drop or alert behavior. ([source](https://docs.suricata.io/configuration/exception-policies.html)) - [TLS Fingerprinting](https://awesome-repositories.com/f/security-cryptography/device-fingerprinting/fingerprint-configuration/tls-fingerprinting.md) — Computes a hash of TLS handshake parameters to identify the client or server software making the connection. ([source](https://docs.suricata.io/rules/ja-keywords.html)) - [Kerberos Anomaly Detectors](https://awesome-repositories.com/f/security-cryptography/kerberos-authentication/kerberos-anomaly-detectors.md) — Matches network traffic against Kerberos-specific fields to identify suspicious authentication activity. ([source](https://docs.suricata.io/rules/kerberos-keywords.html)) - [WebSocket Traffic Inspections](https://awesome-repositories.com/f/security-cryptography/websocket-security/websocket-traffic-inspections.md) — Inspects WebSocket traffic for malicious patterns and enforces security policies on WebSocket communications. ([source](https://docs.suricata.io/rules/websocket-keywords.html)) ### Data & Databases - [Inline Rule Scripts](https://awesome-repositories.com/f/data-databases/caching-and-locking/atomic-task-locks/lua-scripting/inline-rule-scripts.md) — Ships a Lua scripting extension system that allows custom detection logic to be embedded directly in rules. ([source](https://docs.suricata.io/lua/index.html)) - [Output Scripts](https://awesome-repositories.com/f/data-databases/caching-and-locking/atomic-task-locks/lua-scripting/output-scripts.md) — Runs custom Lua scripts to format and output alert data, enabling flexible log processing without recompiling. ([source](https://docs.suricata.io/output/lua-output.html)) ### Development Tools & Productivity - [Lua Rule Extensions](https://awesome-repositories.com/f/development-tools-productivity/automation-rules/rule-encapsulation/reusable-rule-logic/lua-rule-extensions.md) — Combines Lua scripts with standard rule keywords to add custom inspection logic to a rule. ([source](https://docs.suricata.io/rules/lua-detection.html)) - [Rule Management Tools](https://awesome-repositories.com/f/development-tools-productivity/cli-tooling/rule-management-tools.md) — Provides command-line utilities for updating, enabling, and disabling detection rulesets. ([source](https://docs.suricata.io/rule-management/index.html)) - [Honeypot File Transfer Capturers](https://awesome-repositories.com/f/development-tools-productivity/remote-file-transfers/sftp-subsystems/command-line-file-transfers/honeypot-file-transfer-capturers.md) — Captures and stores files transmitted across the network for offline analysis or evidence collection. ([source](https://docs.suricata.io/rules/file-keywords.html)) ### Networking & Communication - [In-Transit File Inspectors](https://awesome-repositories.com/f/networking-communication/file-transfer-protocols/in-transit-file-inspectors.md) — Examines files transferred over network protocols against stored rules to detect malicious payloads or policy violations. ([source](https://docs.suricata.io/rules/file-keywords.html)) - [Threat Detection Rule Repositories](https://awesome-repositories.com/f/networking-communication/filtering-rule-repositories/threat-detection-rule-repositories.md) — Downloads, enables, and maintains rule sets from external sources to keep threat detection current. ([source](https://docs.suricata.io)) - [Inline Traffic Blockers](https://awesome-repositories.com/f/networking-communication/inline-traffic-blockers.md) — Places the engine directly in the network path to drop or reject packets that match detection rules. ([source](https://docs.suricata.io)) - [Flow Tracking Engines](https://awesome-repositories.com/f/networking-communication/network-connection-detectors/connection-states/flow-tracking-engines.md) — Maintains per-flow state tables across multiple packets for context-aware intrusion detection and protocol analysis. - [Network Flow Analyzers](https://awesome-repositories.com/f/networking-communication/network-flow-analyzers.md) — Inspects and tracks network conversations to detect patterns and anomalies across multiple packets. ([source](https://docs.suricata.io/rules/flow-keywords.html)) - [IP Address Filters](https://awesome-repositories.com/f/networking-communication/network-reliability-diagnostics/network-filtering/ip-address-filters.md) — Matches network traffic against specific IP addresses or address ranges to filter or trigger detection rules. ([source](https://docs.suricata.io/rules/ipaddr.html)) - [HTTP Response Body Inspectors](https://awesome-repositories.com/f/networking-communication/network-reliability-diagnostics/network-interception-tools/response-body-modifiers/http-response-body-inspectors.md) — Analyzes HTTP response body content against detection rules to identify malicious payloads or data leaks. ([source](https://docs.suricata.io/rules/http-keywords.html)) - [Network Traffic Analyzers](https://awesome-repositories.com/f/networking-communication/network-traffic-analyzers.md) — Inspects every packet crossing the network boundary and applies a set of rules to detect malicious or anomalous activity as it happens. ([source](https://docs.suricata.io/performance/runmodes.html)) - [Dataset Lookups](https://awesome-repositories.com/f/networking-communication/network-traffic-rules/dataset-lookups.md) — Matches network traffic against named datasets of IPs, domains, or other data to trigger rules on hits. ([source](https://docs.suricata.io/rules/datasets.html)) - [Lua Packet Field Extractors](https://awesome-repositories.com/f/networking-communication/packet-buffering/message-extraction-from-buffers/lua-packet-field-extractors.md) — Extracts specific bytes or fields from a packet payload using Lua code for further analysis. ([source](https://docs.suricata.io/rules/lua-detection.html)) - [High-Performance Capture Engines](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/high-performance-capture-engines.md) — Captures network packets using specialized hardware and kernel-bypass techniques for high-speed traffic analysis. - [Multi-Interface](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/multi-interface.md) — Reads network traffic directly from hardware interfaces or PCAP files for analysis in both inline and passive modes. ([source](https://docs.suricata.io)) - [Traffic Interception](https://awesome-repositories.com/f/networking-communication/traffic-interception.md) — Intercepts and blocks malicious traffic as it passes through the network, preventing threats from reaching their target. ([source](https://docs.suricata.io/ips/index.html)) - [Traffic Protocol Inspection](https://awesome-repositories.com/f/networking-communication/traffic-protocol-inspection.md) — Parses and inspects application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT for protocol-specific attacks. - [Application-Layer Protocol Inspections](https://awesome-repositories.com/f/networking-communication/traffic-protocol-inspection/application-layer-protocol-inspections.md) — Parses and analyzes traffic for protocols such as HTTP, DNS, TLS, SMB, and many others to detect protocol-specific attacks. ([source](https://docs.suricata.io)) - [Email Threat Inspections](https://awesome-repositories.com/f/networking-communication/email-administrative-interfaces/email-inspection-dashboards/email-threat-inspections.md) — Scans email header fields and attachments against rule conditions to detect malicious content or policy violations. ([source](https://docs.suricata.io/rules/email-keywords.html)) - [Cross-Flow State Trackers](https://awesome-repositories.com/f/networking-communication/network-connection-detectors/connection-states/flow-tracking-engines/cross-flow-state-trackers.md) — Stores a named boolean flag that persists across multiple network flows and can be queried or set by later rules. ([source](https://docs.suricata.io/rules/xbits.html)) - [Network Traffic Transformers](https://awesome-repositories.com/f/networking-communication/network-traffic-processors/network-traffic-transformers.md) — Applies transformations to network traffic data to normalize or modify it for analysis. ([source](https://docs.suricata.io/rules/transforms.html)) - [Traffic Bypass Rules](https://awesome-repositories.com/f/networking-communication/network-traffic-rules/traffic-bypass-rules.md) — Skips processing of packets that match a configured rule, reducing load on the detection engine. ([source](https://docs.suricata.io/performance/ignoring-traffic.html)) - [Capture Driver Parameter Tuning](https://awesome-repositories.com/f/networking-communication/packet-capture-drivers/capture-driver-parameter-tuning.md) — Adjusts driver-level parameters like ring buffer size and promiscuous mode for optimal packet capture performance. ([source](https://docs.suricata.io/capture-hardware/index.html)) - [AF_PACKET Capture Engines](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/af-packet-capture-engines.md) — Captures network packets directly from a Linux AF_PACKET socket for high-performance inline intrusion detection and prevention. ([source](https://docs.suricata.io/capture-hardware/af-packet.html)) - [Hardware Offloads](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/hardware-offloads.md) — Delegates packet acquisition to specialized network interface cards to reduce CPU load and improve capture performance. ([source](https://docs.suricata.io/capture-hardware/index.html)) - [AF_XDP Capture Engines](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/high-performance-capture-engines/af-xdp-capture-engines.md) — Captures network packets using the AF_XDP socket interface for high-performance, zero-copy packet processing. ([source](https://docs.suricata.io/capture-hardware/af-xdp.html)) - [Myricom](https://awesome-repositories.com/f/networking-communication/packet-capture-engines/myricom.md) — Captures network packets using Myricom network adapters for high-speed packet capture, bypassing standard kernel interfaces. ([source](https://docs.suricata.io/capture-hardware/myricom.html)) - [Attack Detectors](https://awesome-repositories.com/f/networking-communication/remote-access-control/remote-framebuffer-protocols/attack-detectors.md) — Inspects RFB protocol fields and traffic patterns to identify malicious VNC connections and exploitation attempts. ([source](https://docs.suricata.io/rules/rfb-keywords.html)) - [Runtime Control Sockets](https://awesome-repositories.com/f/networking-communication/tcp-and-unix-socket-listeners/runtime-control-sockets.md) — Accepts JSON commands over a Unix socket to manage rules, retrieve statistics, and control packet processing at runtime. ([source](https://docs.suricata.io)) - [Prefilter Keywords](https://awesome-repositories.com/f/networking-communication/traffic-filtering-rules/prefilter-keywords.md) — Applies prefiltering keywords to rules so packets are evaluated before full rule processing, improving detection speed. ([source](https://docs.suricata.io/rules/prefilter-keywords.html)) - [VLAN Traffic Inspectors](https://awesome-repositories.com/f/networking-communication/traffic-filters/vlan-traffic-inspectors.md) — Matches network packets based on their VLAN identifier to filter or analyze traffic within specific virtual LAN segments. ([source](https://docs.suricata.io/rules/vlan-keywords.html)) - [eBPF Traffic Analyzers](https://awesome-repositories.com/f/networking-communication/traffic-interception-tools/ebpf-interceptors/ebpf-traffic-analyzers.md) — Attaches eBPF and XDP programs to network interfaces to filter and process packets before they reach the kernel's network stack. ([source](https://docs.suricata.io/capture-hardware/ebpf-xdp.html)) - [Runtime Rule Reloads](https://awesome-repositories.com/f/networking-communication/traffic-rule-sets/rule-set-refresh/runtime-rule-reloads.md) — Applies updated rule sets to a running engine without stopping or restarting the active process. ([source](https://docs.suricata.io/rule-management/rule-reload.html)) ### Programming Languages & Runtimes - [Detection Rule Scripting Extensions](https://awesome-repositories.com/f/programming-languages-runtimes/programming-language-varieties/programming-languages/dynamic-scripting-languages/lua/embedded-scripting-extensions/detection-rule-scripting-extensions.md) — Embeds Lua scripts directly in detection rules and output modules to extend logic without recompiling the core engine. - [Scriptable Detection Engines](https://awesome-repositories.com/f/programming-languages-runtimes/programming-language-varieties/programming-languages/dynamic-scripting-languages/lua/scriptable-detection-engines.md) — Extends detection and output logic by executing custom Lua scripts from rules and output modules. ### Software Engineering & Architecture - [Rule-Based Pattern Matching](https://awesome-repositories.com/f/software-engineering-architecture/naming-conventions/rule-based-pattern-matching.md) — Matches network traffic against user-defined rules using protocol fields, content patterns, and flow state. - [Inline Traffic Blockers](https://awesome-repositories.com/f/software-engineering-architecture/pattern-matching-libraries/regex-pattern-matchers/traffic-signature-matching/inline-traffic-blockers.md) — Inspects network packets against rules and drops or rejects those that match a threat signature to block malicious traffic. ([source](https://docs.suricata.io/ips/ips-concept.html)) - [Inline Traffic Blockers](https://awesome-repositories.com/f/software-engineering-architecture/request-validation/replay-attacks-prevention/inline-traffic-blockers.md) — Stops malicious packets from reaching their destination by dropping or rejecting them inline based on rule matches. ([source](https://docs.suricata.io/rules/rules-internals.html)) - [YAML Configuration Files](https://awesome-repositories.com/f/software-engineering-architecture/application-lifecycle-management/configuration-management/configuration-formats-and-schemas/yaml-configuration-files.md) — Defines engine behavior in a hierarchical YAML file that supports modular includes for rules and settings. - [Event Logging](https://awesome-repositories.com/f/software-engineering-architecture/event-logging.md) — Outputs network events as structured JSON records for ingestion by log management and analytics platforms. ([source](https://docs.suricata.io/output/eve/index.html)) - [Structured JSON Loggers](https://awesome-repositories.com/f/software-engineering-architecture/event-logging/structured-json-loggers.md) — Outputs detection alerts and other events as JSON records for integration with external log management and analysis tools. ([source](https://docs.suricata.io)) - [Detection Pipeline Module Extenders](https://awesome-repositories.com/f/software-engineering-architecture/integration-extensibility/extensibility/plugin-architectures/developer-authoring-interfaces/custom-module-implementations/module-functionality-extenders/detection-pipeline-module-extenders.md) — Adds new protocol parsers and inspectors by writing C modules that plug into the engine's event pipeline. ([source](https://docs.suricata.io/devguide/extending/index.html)) ### Testing & Quality Assurance - [Network Traffic Monitors](https://awesome-repositories.com/f/testing-quality-assurance/general-testing-utilities/test-utilities-assertions/network-api-mocking/network-traffic-monitors.md) — Analyzes network packets in real-time to detect and alert on suspicious activity or policy violations. ([source](https://docs.suricata.io/performance/statistics.html)) - [HTTP Request Body Inspectors](https://awesome-repositories.com/f/testing-quality-assurance/http-request-clients/request-body-editors/http-request-body-inspectors.md) — Inspects HTTP request body content against detection rules to identify malicious payloads and policy violations. ([source](https://docs.suricata.io/rules/http-keywords.html)) ### Web Development - [PCAP File Readers](https://awesome-repositories.com/f/web-development/api-management-tools/api-development-management/web-apis/file-reading/pcap-file-readers.md) — Reads network traffic from PCAP files for offline analysis and replay of captured packets. ([source](https://docs.suricata.io/capture-hardware/pcap-file.html)) - [HTTP Request Header Inspectors](https://awesome-repositories.com/f/web-development/backend-development/request-response-handling/http-utilities/http-header-manipulators/http-request-header-inspectors.md) — Matches HTTP request header fields against detection rules to identify malicious or anomalous traffic patterns. ([source](https://docs.suricata.io/rules/http-keywords.html)) - [HTTP Method and Version Inspectors](https://awesome-repositories.com/f/web-development/http-methods/http-method-and-version-inspectors.md) — Matches the HTTP method and protocol version to enforce allowed usage or detect anomalies. ([source](https://docs.suricata.io/rules/http-keywords.html)) ### DevOps & Infrastructure - [Multi-Stage Analysis Pipelines](https://awesome-repositories.com/f/devops-infrastructure/automated-analysis-pipelines/multi-stage-analysis-pipelines.md) — Processes packets through sequential capture, decode, detection, and output stages in a fixed pipeline. - [Runtime Dataset Updaters](https://awesome-repositories.com/f/devops-infrastructure/automated-update-managers/dataset-update-managers/runtime-dataset-updaters.md) — Adds or removes entries in a dataset at runtime using rule actions, keeping the set current without reloading. ([source](https://docs.suricata.io/rules/datasets.html)) - [Embedded Detection Engines](https://awesome-repositories.com/f/devops-infrastructure/cloud-infrastructure/cloud-computing-serverless/backend-as-a-service/authentication-as-a-service/embedded-detection-engines.md) — Ships a shared library API that allows embedding the full detection engine inside custom applications. ([source](https://docs.suricata.io/devguide/libsuricata/index.html)) ### Operating Systems & Systems Programming - [Network Capture Offload Layers](https://awesome-repositories.com/f/operating-systems-systems-programming/hardware-interfacing-drivers/hardware-abstraction-layers/network-capture-offload-layers.md) — Provides a hardware offload abstraction layer that delegates packet capture and pattern matching to supported NICs. - [Unix Socket Interfaces](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/system-programming-primitives/inter-process-communication/unix-socket-interfaces.md) — Exposes a Unix domain socket control interface for external processes to manage rules and retrieve statistics. ### System Administration & Monitoring - [Alert Thresholds](https://awesome-repositories.com/f/system-administration-monitoring/alert-thresholds/alert-thresholds.md) — Limits the number of times a specific alert can fire within a set time window to reduce noise and prevent alert fatigue. ([source](https://docs.suricata.io/rules/thresholding.html)) - [Protocol Anomaly Detectors](https://awesome-repositories.com/f/system-administration-monitoring/anomaly-detection/protocol-anomaly-detectors.md) — Inspects application-layer protocols like HTTP, TLS, and SSH for malformed packets or suspicious behavior. - [CIP](https://awesome-repositories.com/f/system-administration-monitoring/anomaly-detection/protocol-anomaly-detectors/cip.md) — Inspects ENIP/CIP traffic for malformed or malicious packets using protocol-specific keywords to identify attacks. ([source](https://docs.suricata.io/rules/enip-keyword.html)) - [NTP Anomaly Detectors](https://awesome-repositories.com/f/system-administration-monitoring/anomaly-detection/protocol-anomaly-detectors/ntp-anomaly-detectors.md) — Inspects NTP traffic for malformed packets, invalid timestamps, and other protocol-level violations to identify attacks. ([source](https://docs.suricata.io/rules/ntp-keywords.html)) - [Rule Frequency Limiters](https://awesome-repositories.com/f/system-administration-monitoring/monitoring-and-observability/observability-platforms/operational-health-alerting/event-monitoring-systems/event-frequency-monitoring/rule-frequency-limiters.md) — Applies a global threshold to cap how many times a specific detection rule can trigger within a set time window. ([source](https://docs.suricata.io/configuration/global-thresholds.html)) - [Network Forensic Extractions](https://awesome-repositories.com/f/system-administration-monitoring/network-traffic-analysis/network-forensic-extractions.md) — Captures and stores files transferred over network protocols for offline analysis and evidence collection. ([source](https://docs.suricata.io/file-extraction/file-extraction.html)) - [mDNS Traffic Inspectors](https://awesome-repositories.com/f/system-administration-monitoring/network-traffic-analysis/passive-traffic-analyzers/mdns-traffic-inspectors.md) — Inspects multicast DNS protocol fields to detect anomalies or threats in local network service discovery. ([source](https://docs.suricata.io/rules/mdns-keywords.html)) - [Runtime Service Controllers](https://awesome-repositories.com/f/system-administration-monitoring/runtime-service-controllers.md) — Controls a running engine by sending commands to reload rules, manage logging, and check status. ([source](https://docs.suricata.io/manpages/suricatactl.html))