Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

cybersecurity ids intrusion-detection-system intrusion-prevention-system ips network-monitor network-monitoring nsm security suricata threat-hunting

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Jason Ish 5d050a456b rust: suppress cargo audit for RUSTSEC-2026-0097 Per https://rustsec.org/advisories/RUSTSEC-2026-0097, this issue it not applicable unless the "log" and "thread_rng" features of rand are enabled. "log" is not enabled in our dependency chain. Updating to the fixed version of rand requires an MSRV of 1.85. Ticket: #8467 (cherry picked from commit `be36e67f52`)		3 days ago
.clusterfuzzlite	ci: do not run undefined for clusterfuzzlite	7 months ago
.github	rust: suppress cargo audit for RUSTSEC-2026-0097	3 days ago
benches	…
doc	hs: prune stale MPM cache files	1 month ago
ebpf	ebpf: include llvm_bpfload.h in distribution	2 years ago
etc	schema: add descriptions to global memcaps/memuses	5 months ago
examples	examples: fix run mode name in live example	3 weeks ago
git-templates	git: Add commit template	1 year ago
lua	lua: create suricata.config lua lib	11 months ago
plugins	ndpi: fix logging of pcap_cnt	1 month ago
python	python/Makefile.am: fix file permissions of python/suricata/config/defaults.py	6 months ago
qa	qa: add nfq based firewall test with live reload	3 days ago
rules	ldap: add rules file to dist	1 month ago
rust	websocket: check pdu opcode for reassembly	3 weeks ago
scripts	clang-format: fix the base branch	1 month ago
src	detect: enable pcre and urilen for firewall mode	3 days ago
suricata-update	suricata-update: install sample configuration files	3 years ago
.clang-format	devguide: move into userguide as last chapter	4 years ago
.gitignore	.gitignore: don't ignore rule files in rules/	10 months ago
.readthedocs.yaml	docs: adjust readthedocs config to new options	3 years ago
COPYING	GPL license sync with official gpl-2.0.txt	11 years ago
ChangeLog	release: 8.0.4; update changelog	1 month ago
LICENSE	GPL license sync with official gpl-2.0.txt	11 years ago
Makefile.am	examples/lib/live: a lib example with live capture	1 month ago
README.md	doc: adjust for master to main rename	7 months ago
SECURITY.md	security: update policy wrt CVE ID's	2 years ago
acsite.m4	configure: check for u_int and friends	6 years ago
autogen.sh	autogen/rust: remove Cargo.lock	8 years ago
config.rpath	Add file needed for some autotools version.	13 years ago
configure.ac	configure/qa-simulation: explicitly declare default	3 weeks ago
doxygen.cfg	http: Use libhtp-rs.	1 year ago
libsuricata-config.in	libsuricata-config: fix static library dependency order	12 months ago
requirements.txt	requirements.txt: update to suricata-update 1.3.7	6 months ago
shell.nix	misc: add rust analyzer and sphinx to shell.nix	8 months ago
suricata.yaml.in	http2: bound number of http2 frames per tx	1 month ago
threshold.config	docs: update url to docs.suricata.io	3 years ago

README.md

Suricata

Introduction

Suricata is a network IDS, IPS and NSM engine developed by the OISF and the Suricata community.

Resources

Contributing

We're happily taking patches and other contributions. Please see our Contribution Process for how to get started.

Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences:

in IPS mode a crash may knock a network offline
in passive mode a compromise of the IDS may lead to loss of critical and confidential data
missed detection may lead to undetected compromise of the network

In other words, we think the stakes are pretty high, especially since in many common cases the IDS/IPS will be directly reachable by an attacker.

For this reason, we have developed a QA process that is quite extensive. A consequence is that contributing to Suricata can be a somewhat lengthy process.

On a high level, the steps are:

GitHub-CI based checks. This runs automatically when a pull request is made.
Review by devs from the team and community
QA runs from private QA setups. These are private due to the nature of the test traffic.

Overview of Suricata's QA steps

OISF team members are able to submit builds to our private QA setup. It will run a series of build tests and a regression suite to confirm no existing features break.

The final QA runs takes a few hours minimally, and generally runs overnight. It currently runs:

extensive build tests on different OS', compilers, optimization levels, configure features
static code analysis using cppcheck, scan-build
runtime code analysis using valgrind, AddressSanitizer, LeakSanitizer
regression tests for past bugs
output validation of logging
unix socket testing
pcap based fuzz testing using ASAN and LSAN
traffic replay based IDS and IPS tests

Next to these tests, based on the type of code change further tests can be run manually:

traffic replay testing (multi-gigabit)
large pcap collection processing (multi-terabytes)
fuzz testing (might take multiple days or even weeks)
pcap based performance testing
live performance testing
various other manual tests based on evaluation of the proposed changes

It's important to realize that almost all of the tests above are used as acceptance tests. If something fails, it's up to you to address this in your code.

One step of the QA is currently run post-merge. We submit builds to the Coverity Scan program. Due to limitations of this (free) service, we can submit once a day max. Of course it can happen that after the merge the community will find issues. For both cases we request you to help address the issues as they may come up.

FAQ

Q: Will you accept my PR?

A: That depends on a number of things, including the code quality. With new features it also depends on whether the team and/or the community think the feature is useful, how much it affects other code and features, the risk of performance regressions, etc.

Q: When will my PR be merged?

A: It depends, if it's a major feature or considered a high risk change, it will probably go into the next major version.

Q: Why was my PR closed?

A: As documented in the Suricata GitHub workflow, we expect a new pull request for every change.

Normally, the team (or community) will give feedback on a pull request after which it is expected to be replaced by an improved PR. So look at the comments. If you disagree with the comments we can still discuss them in the closed PR.

If the PR was closed without comments it's likely due to QA failure. If the GitHub-CI checks failed, the PR should be fixed right away. No need for a discussion about it, unless you believe the QA failure is incorrect.

Q: The compiler/code analyser/tool is wrong, what now?

A: To assist in the automation of the QA, we're not accepting warnings or errors to stay. In some cases this could mean that we add a suppression if the tool supports that (e.g. valgrind, DrMemory). Some warnings can be disabled. In some exceptional cases the only 'solution' is to refactor the code to work around a static code checker limitation false positive. While frustrating, we prefer this over leaving warnings in the output. Warnings tend to get ignored and then increase risk of hiding other warnings.

Q: I think your QA test is wrong

A: If you really think it is, we can discuss how to improve it. But don't come to this conclusion too quickly, more often it's the code that turns out to be wrong.

Q: Do you require signing of a contributor license agreement?

A: Yes, we do this to keep the ownership of Suricata in one hand: the Open Information Security Foundation. See http://suricata.io/about/open-source/ and http://suricata.io/about/contribution-agreement/