Suricata — IPS

OSS (GPL-2.0) · OISF · OISF/suricata · Docs · Rule sources: Emerging Threats, Talos · vulnetix vdb traffic-filters <CVE> returns Snort/Suricata-compatible signatures.

What Suricata does

Suricata is a multi-threaded network IDS / IPS / NSM engine. Its rule language reads like Snort’s but extends it with protocol-aware sticky buffers — http.uri, http.header, tls.sni, dns.query, smb.command — which let you write rules that match against the parsed application layer rather than the raw bytes.

For vulnerability management the use case mirrors Snort’s: when the exploit has a recognisable wire signature, a Suricata rule that drops it before it reaches the vulnerable service is a valid mitigation. Where Suricata earns its place over Snort is the protocol awareness — matching on http.uri is more precise (and survives encoding tricks) than matching on raw content.

IPS rules aren’t SBOM components, so the attestation is always OpenVEX.

Rule structure

Writing a mitigation rule

alert http any any -> $HOME_NET any (
  msg:"CVE-XXXX-XXXX — path traversal attempt";
  http.uri; content:"/../"; nocase;
  sid:2000001; rev:1;
  classtype:web-application-attack;
  metadata:vuln-coordinator CVE-XXXX-XXXX;
)
alert http any any -> $HOME_NET any (
  msg:"CVE-XXXX-XXXX — malicious header";
  http.header; content:"X-Exploit:"; nocase;
  sid:2000002; rev:1;
  classtype:attempted-user;
)
alert tls any any -> any any (
  msg:"Suspicious TLS SNI — C2 indicator";
  tls.sni; content:"malicious.example.com"; nocase;
  sid:2000003; rev:1;
  classtype:trojan-activity;
)

Testing the rule

OpenVEX outcome

See also