ResorsIT Uses Suricata For Intrusion Detection and Prevention
Suricata is a high performance, open source network analysis and threat detection engine used by many private and public organizations, and embedded by major vendors to protect their assets. It operates as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS), inspecting network traffic using deep packet inspection (DPI), signature-based detection, and behavioral anomaly detection.
Intrusion Detection
In IDS mode, Suricata monitors network traffic passively and generates alerts when malicious activity is detected. It uses Snort-compatible rules to identify known attacks and supports Emerging Threats and custom rule sets. Protocol analysis covers HTTP, TLS, DNS, SMB, FTP, SSH, and others — decoding traffic to identify anomalies, protocol misuse, and suspicious behavior. Files can be extracted from network traffic for further analysis, and behavioral detection helps surface zero-day attacks and Advanced Persistent Threats that signature rules alone would miss. For high-throughput environments, Suricata uses AF_PACKET, PF_RING, and DPDK for packet capture and multi-threading to handle large traffic volumes.
Intrusion Prevention
In IPS mode, Suricata actively blocks malicious traffic rather than just alerting on it. Operating inline via NFQUEUE (Linux) or IPFW (BSD), it drops or modifies packets in real time before they reach internal systems. Rule-based blocking stops common attack patterns including SQL injection, cross-site scripting, malware downloads, and exploit attempts. TLS/SSL inspection allows Suricata to analyze encrypted traffic with appropriate key access. Threat intelligence feeds — IP blocklists, domain blocklists — can be ingested for proactive defense, and Suricata-Update keeps detection rules current.
More details on Suricata are available at their website linked here.