Back to Blog
SuricataIDS/IPS

Suricata Rules Explained

Nikhil Tank·July 12, 2026·8 min read

What is Suricata?

Suricata is a high-performance, open-source network threat detection engine capable of Intrusion Detection (IDS), Intrusion Prevention (IPS), and Network Security Monitoring (NSM). Developed by the Open Information Security Foundation (OISF), Suricata inspects network traffic in real time and matches it against a set of rules to identify malicious activity.

Unlike traditional packet-based IDS systems, Suricata uses multi-threaded architecture to scale efficiently across modern multi-core processors. It can process traffic at 10 Gbps and beyond, making it suitable for both small offices and large data center deployments.

Suricata vs Snort

Suricata and Snort are the two dominant open-source IDS/IPS engines. Here is how they compare:

  • Performance: Suricata uses multi-threading natively. Snort is single-threaded and requires multiple instances to scale.
  • Protocol detection: Suricata has built-in application-layer protocol parsers (HTTP, DNS, TLS, SMB, etc.). Snort relies more on pattern matching.
  • File extraction: Suricata can extract files from network streams for malware analysis. Snort requires additional modules.
  • TLS inspection: Suricata can decrypt and inspect TLS traffic when configured with keys. Snort has limited TLS support.
  • Rule compatibility: Both use similar rule syntax, but Suricata supports additional keywords and is generally considered more feature-rich.

Many organizations run Suricata as their primary IDS/IPS and feed alerts into a SIEM like Shieldlix for centralized analysis and correlation.

Suricata Rule Syntax

Every Suricata rule follows a structured format with three main components: action, header, and options.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443
  (msg:"Suspicious TLS Connection";
   flow:to_server,established;
   tls.version < 1.2;
   sid:1000001;
   rev:1;
   priority:2;)

drop tcp $EXTERNAL_NET any -> $HOME_NET 445
  (msg:"EternalBlue SMB Exploit";
   content:"|50 03 02 01|";
   offset:4;
   within:4;
   sid:1000002;
   rev:1;)

Action

The action tells Suricata what to do when the rule matches:

  • alert — Log the event without blocking traffic.
  • drop — Block the packet and log the event (IPS mode only).
  • reject — Block the packet and send a TCP RST or ICMP unreachable.
  • pass — Stop further rule inspection for this packet.

Header

The header defines the network traffic pattern to match:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443
  • Protocol: tcp, udp, icmp, or ip.
  • Source: Source IP and port ($HOME_NET any).
  • Direction: -> (one-way) or <> (bidirectional).
  • Destination: Destination IP and port ($EXTERNAL_NET 443).

Options

Options provide the detailed detection logic and metadata. Some of the most commonly used options include:

  • msg — Human-readable alert message.
  • content — Pattern to match in the packet payload (supports hex notation with pipes).
  • sid — Unique rule identifier.
  • rev — Revision number for version tracking.
  • priority — Severity level (1 = highest).
  • classtype — Category of attack (e.g., trojan-activity, attempted-admin).
  • reference — External reference (CVE, URL, MD5 hash).
  • flow — Direction of the flow (to_server, to_client, established).

Protocol Detection in Suricata

One of Suricata's standout features is its application-layer protocol detection. Instead of relying solely on port numbers, Suricata inspects traffic content to identify the actual protocol in use. This prevents evasion through non-standard ports.

HTTP Detection

alert http $HOME_NET any -> $EXTERNAL_NET any
  (msg:"Suspicious User-Agent";
   http.user_agent;
   content:"curl|2f|7.";
   sid:1000003;
   rev:1;
   priority:3;)

alert http $HOME_NET any -> $EXTERNAL_NET any
  (msg:"Possible C2 Beacon";
   content:"GET";
   http.method;
   content:"/gate.php";
   http.uri;
   flow:established;
   sid:1000004;
   rev:1;
   classtype:trojan-activity;)

DNS Detection

alert dns $HOME_NET any -> $EXTERNAL_NET any
  (msg:"DGA Domain Detected";
   dns.query;
   content:"xyz";
   pcre:"/[a-z]{20,}\.com/";
   sid:1000005;
   rev:1;
   priority:2;)

alert dns $HOME_NET any -> $EXTERNAL_NET any
  (msg:"DNS Tunneling Attempt";
   dns.type:"TXT";
   dns.rdata_len > 200;
   sid:1000006;
   rev:1;
   priority:1;)

TLS Detection

alert tls $HOME_NET any -> $EXTERNAL_NET any
  (msg:"TLS to Malicious Domain";
   tls.sni;
   content:"malware-c2.example.com";
   sid:1000007;
   rev:1;
   priority:1;)

alert tls $HOME_NET any -> $EXTERNAL_NET any
  (msg:"Self-Signed Cert Detected";
   tls.cert_issuer; content:"CN=";
   tls.cert_subject;
   content!:"CN=";
   sid:1000008;
   rev:1;
   priority:3;)

Alerting vs Dropping

Suricata can operate in two modes that determine how it handles matching traffic:

  • IDS mode (alert): Suricata logs the alert and allows the traffic to pass. This is the safe default for monitoring and analysis.
  • IPS mode (drop): Suricata actively blocks the malicious traffic. This requires inline deployment and careful tuning to avoid dropping legitimate traffic.

Best practice is to start with alert-only mode, analyze the alerts in your Shieldlix Security Monitoring platform, and gradually move high-confidence rules to drop mode.

Rule Categories and Emerging Threats

Suricata rules are typically organized into categories maintained by different providers:

  • Emerging Threats (ET) — The most popular open-source rule set, maintained by Proofpoint. Covers malware, exploits, phishing, and more.
  • Emerging Threats Pro (ET Pro) — A paid subscription with higher-quality, lower-noise rules. Updated more frequently.
  • SSL Blacklist — Rules based on known malicious TLS certificates.
  • Custom rules — Organization-specific rules tailored to your environment and threat model.

When you integrate Suricata with Shieldlix Security Monitoring, all rule hits are correlated with other log sources and enriched with threat intelligence.

Suricata + SIEM Integration

Suricata generates logs in multiple formats including EVE JSON, which is the recommended format for SIEM integration. Key log types include:

  • alert — Rule match events with full packet metadata.
  • flow — Summarized network flow records.
  • dns — DNS query and response logs.
  • http — HTTP request and response logs.
  • tls — TLS handshake metadata.
  • files — Extracted file metadata and hashes.

Shieldlix natively ingests Suricata EVE JSON logs, parses them into structured fields, and makes them available for search, correlation, and alerting alongside your firewall logs, endpoint data, and cloud audit trails.

Best Practices for Writing Suricata Rules

  • Use protocol keywords — Prefer http.uri, tls.sni, and dns.query over generic content matches for better accuracy.
  • Add metadata — Include reference and classtype to make alert triage easier.
  • Test in a sandbox — Use suricata -T to validate rule syntax before deploying.
  • Start with alert — Never deploy new rules in drop mode without first running them in alert mode.
  • Use thresholds — Add threshold options to suppress noisy rules and reduce alert fatigue.
  • Keep sid ranges organized — Assign different sid ranges for different rule categories to avoid conflicts.

Conclusion

Suricata is one of the most powerful open-source network threat detection engines available today. Its flexible rule syntax, multi-threaded performance, and deep protocol inspection make it an essential component of any defense-in-depth strategy. When combined with a modern SIEM like Shieldlix, Suricata alerts become part of a unified security operations platform that gives your team complete visibility across network, endpoint, and cloud.


Written by
Nikhil Tank
Founder & CEO, Shieldlix
← Back to Blog