引擎

1. 网络入侵检测系统(NIDS)引擎
2. 网络入侵防御系统(NIPS)引擎
3. 网络安全监控(NSM)引擎
4. 离线分析PCAP文件
5. 使用pcap记录器记录流量
6. Unix套接字模式，用于自动PCAP文件处理
7. 与Linux Netfilter防火墙的高级集成

操作系统支持

1. Linux
2. FreeBSD
3. OpenBSD
4. macOS / Mac OS X
5. Windows

配置

1. 配置文件-人和机器可读
2. 良好的注释和文档
3. 支持包括其他文件

TCP / IP引擎

1. Scalable flow engine
2. Full IPv6 support
3. Tunnel decoding
   • Teredo
   • IP-IP
   • IP6-IP4
   • IP4-IP6
   • GRE
4. TCP stream engine
   • tracking sessions
   • stream reassembly
   • target based stream reassembly
5. IP Defrag engine
   • target based reassembly

协议解析器

1. 支持数据包解码
   1. IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
   2. 以太网，PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
2. App层解码:
   1. HTTP、SSL、TLS、SMB、DCERPC、SMTP、FTP、SSH、DNS、Modbus、ENIP/CIP、DNP3、NFS、NTP、DHCP、TFTP、KRB5、IKEv2
   2. 使用Rust语言开发的新协议，用于安全快速的解码。

HTTP引擎

• Stateful HTTP parser built on libhtp
• HTTP request logger
• File identification, extraction and logging
• Per server settings — limits, personality, etc
• Keywords to match on (normalized) buffers:
  • uri and raw uri
  • headers and raw headers
  • cookie
  • user-agent
  • request body and response body
  • method, status and status code
  • host
  • request and response lines
  • decompress flash files
  • and many more

探测引擎

• Protocol keywords
• Multi-tenancy per vlan or capture device
• xbits – flowbits extension
• PCRE support
  • substring capture for logging in EVE
• fast_pattern and prefilter support
• Rule profiling
• File matching
  • file magic
  • file size
  • file name and extension
  • file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
• multiple pattern matcher algorithms that can be selected
• extensive tuning options
• live rule reloads — use new rules w/o restarting Suricata
• delayed rules initialization
• Lua scripting for custom detection logic
• Hyperscan integration

输出

• Eve log, all JSON alert and event output
• Lua output scripts for generating your own output formats
• Redis support
• HTTP request logging
• TLS handshake logging
• Unified2 output — compatible with Barnyard2
• Alert fast log
• Alert debug log — for rule writers
• Traffic recording using pcap logger
• Prelude support
• drop log — netfilter style log of dropped packets in IPS mode
• syslog — alert to syslog
• stats — engine stats at fixed intervals
• File logging including MD5 checksum in JSON format
• Extracted file storing to disk, with deduplication in the v2 format
• DNS request/reply logger, including TXT data
• Signal based Log rotation
• Flow logging

报警/事件过滤

• per rule alert filtering and thresholding
• global alert filtering and thresholding
• per host/subnet thresholding and rate limiting settings

包获取

• High performance capture
  • AF_PACKET
    • experimental eBPF and XDP modes available
  • PF_RING
  • NETMAP
• Standard capture
  • PCAP
  • NFLOG (netfilter integration)
• IPS mode
  • Netfilter based on Linux (nfqueue)
    • fail open support
  • ipfw based on FreeBSD and NetBSD
  • AF_PACKET based on Linux
  • NETMAP
• Capture cards and specialized devices
  • Endace
  • Napatech
  • Tilera

多线程

完全可配置线程——从单线程到几十个线程

预煮的“runmodes”

可选CPU关联设置

使用细粒度锁定和原子操作获得最佳性能

可选锁分析

IP的声誉

• loading of large amounts host based reputation data
• matching on reputation data in the rule language using the “iprep” keyword
• live reload support
• supports CIDR ranges

工具

• Suricata-Update for easy rule update management
• Suricata-Verify for QA during development

原文:https://suricata-ids.org/features/all-features/

本文：

讨论:请加入知识星球或者小红圈【首席架构师圈】