Suricata

Suricata is a high-performance open source Intrusion Detection and Prevention (IDP) engine developed by Open Information Security Foundation (OISF). It supports multi-threading and uses Hyperscan to optimize algorithms for efficient multi-pattern and single-pattern matching. Huawei optimizes Suricata for peak performance on the Kunpeng platform.

Figure 1 Suricata workflow

Suricata processes network packets through four core stages—acquisition (using DPDK to accelerate traffic capture), decoding, detection (leveraging Hyperscan for efficient rule matching), and output. The detection engine accounts for about 50% of the end-to-end processing overhead.

Suricata is a typical open source IDP solution. Its workflow and ruleset are widely recognized in data distribution scenarios. Many ISVs develop their applications based on the Suricata framework.

Suricata uses the following key technologies: real-time traffic capture and detection using multiple threads, multi-pattern matching algorithm, and automata algorithm.

Suricata is suitable for scenarios such as network security data distribution, fine-grained data distribution for carriers, data distribution for public security and technical investigation, and IDP.

Parent topic: Features