Suricata — IPS
OSS (GPL-2.0) · OISF · OISF/suricata · Docs · Rule sources: Emerging Threats, Talos ·
vulnetix vdb traffic-filters <CVE>returns Snort/Suricata-compatible signatures.
What Suricata does
Suricata is a multi-threaded network IDS / IPS / NSM engine. Its rule language reads like Snort’s but extends it with protocol-aware sticky buffers — http.uri, http.header, tls.sni, dns.query, smb.command — which let you write rules that match against the parsed application layer rather than the raw bytes.
For vulnerability management the use case mirrors Snort’s: when the exploit has a recognisable wire signature, a Suricata rule that drops it before it reaches the vulnerable service is a valid mitigation. Where Suricata earns its place over Snort is the protocol awareness — matching on http.uri is more precise (and survives encoding tricks) than matching on raw content.
IPS rules aren’t SBOM components, so the attestation is always OpenVEX.
Rule structure
Writing a mitigation rule
alert http any any -> $HOME_NET any (
msg:"CVE-XXXX-XXXX — path traversal attempt";
http.uri; content:"/../"; nocase;
sid:2000001; rev:1;
classtype:web-application-attack;
metadata:vuln-coordinator CVE-XXXX-XXXX;
)
alert http any any -> $HOME_NET any (
msg:"CVE-XXXX-XXXX — malicious header";
http.header; content:"X-Exploit:"; nocase;
sid:2000002; rev:1;
classtype:attempted-user;
)
alert tls any any -> any any (
msg:"Suspicious TLS SNI — C2 indicator";
tls.sni; content:"malicious.example.com"; nocase;
sid:2000003; rev:1;
classtype:trojan-activity;
)
Testing the rule
OpenVEX outcome
See also
- SSVC Engineer Triage — the framework that maps a rule deployment to the
Mitigation Optioninput. - OpenVEX appendix — the format these rule guides produce.
- Glossary.