Suricata IDS Configuration and Tuning

The Flowmon IDS Probe package integrates the third party open-source project Suricata IDS into the Flowmon platform with community rules. This package is provided free of charge and the Flowmon IDS Probe is not covered by the Flowmon support service.

For further information about Suricata IDS, visit the official Suricata Documentation.

This section contains basic instructions for adjusting the Suricata IDS settings when it is integrated to the Flowmon platform. It includes the description of basic settings that can be performed directly from the Flowmon user interface or advanced settings that must be performed from the command-line of the Flowmon appliance.

Suricata is an Intrusion Detection System (IDS) that detects potential threats in the network traffic. For the detection of these threats, it uses signatures. A signature represents a structured list of rules that describe a threat based on the content of packets. An IDS system then inspects the network traffic and applies these rules to each packet that comes through the IDS system. If the rules stated in the signature are satisfied for the inspected packet, the IDS system generates an alert to notify the user.

The IDS performs a full packet capture, which means that all the packets coming through an IDS system are inspected for a potential intrusion. This process may be very computationally and resource intensive. In addition, for the detection of potential intrusion, these systems usually do not need to inspect all the packets. For this reason, we propose a solution that inspects only first N¹ packets from each network flow. This reduces the load of the Suricata IDS system in networks with high amounts of traffic.