Submit
Icon for MalcolmIcon for Suricata

Malcolm bundles Suricata as its IDS/IPS engine

Integrates withCurated

Overview

Malcolm doesn't just integrate with Suricata — it ships it as a core component. Suricata runs inside Malcolm's Docker Compose stack as one of ~15 containers, providing signature-based threat detection against network traffic. Malcolm handles the surrounding infrastructure: log ingestion, normalization, indexing, and visualization through OpenSearch Dashboards.

This is a "batteries included" relationship. When you deploy Malcolm, Suricata is already configured, its rules are automatically updated, and its EVE JSON alerts flow directly into the same OpenSearch cluster where Zeek logs and Arkime PCAP sessions live.

Integration Architecture

Network TAP / SPAN port or PCAP upload
              ↓
    ┌─────────┴─────────┐
    │                   │
  Zeek              Suricata
(protocol logs)    (IDS alerts)
    │                   │
    └────────┬──────────┘
             ↓
     Logstash + Filebeat
     (normalization)
             ↓
        OpenSearch
     (unified index)
             ↓
  OpenSearch Dashboards + Arkime
     (search & visualize)

Suricata's EVE JSON output is picked up by Filebeat, processed through Logstash enrichment pipelines (adding GeoIP, ASN, protocol metadata), and indexed alongside Zeek's connection logs. This means a single OpenSearch query can correlate a Suricata alert with the Zeek connection log for the same session, plus retrieve the raw packets from Arkime.

Use Cases

  • OT threat detection: Suricata's ICS rule sets (Emerging Threats, CyberICS, EliteWolf) fire on Modbus/DNP3 anomalies; Malcolm presents the alert alongside Zeek's parsed protocol fields for rapid triage
  • Incident forensics: A Suricata alert triggers investigation → analyst pivots from the alert to the Zeek connection log to the full PCAP in Arkime, all within Malcolm's unified interface
  • PCAP retrospective analysis: Upload historical PCAPs to Malcolm; Suricata retroactively scans them against current rule sets to find threats missed in real-time
  • Compliance evidence: Malcolm's prebuilt dashboards show Suricata alert trends, top signatures, and detection coverage — ready for IEC 62443 audits

Configuration and Getting Started

  1. Clone the Malcolm repository and run ./scripts/install.py
  2. Suricata is enabled by default — no separate installation needed
  3. Rule sets are configured in Malcolm's environment files; Suricata-Update pulls latest rules automatically
  4. To add custom ICS rules, place .rules files in Malcolm's suricata/rules/ directory
  5. Access Suricata alerts via OpenSearch Dashboards → "Alerts" dashboard, or filter by event.dataset: suricata

Tradeoffs and Considerations

  • Malcolm runs Suricata in IDS mode only (passive monitoring). For inline IPS blocking, deploy a standalone Suricata instance on the network segment — Malcolm is for visibility, not prevention
  • Suricata inside Malcolm shares CPU and RAM with Zeek, OpenSearch, and Arkime. On a minimum-spec 8-core machine, Suricata may not keep up with high-throughput traffic. Dedicate 16+ cores for production
  • Malcolm updates Suricata rules on container restart. For continuous rule updates without restart, configure Suricata-Update as a cron job inside the container
  • If you already run standalone Suricata sensors, Malcolm can ingest their EVE JSON logs directly instead of running its own Suricata instance
Icon for MalcolmMalcolmView →Icon for SuricataSuricataView →