Suricata

Suricata sits on a network span port or inline tap and inspects every packet flowing through your infrastructure. It runs three detection modes: signature matching against thousands of community rules (compatible with Snort rules out of the box), inline prevention that drops malicious packets before they reach targets, and network security monitoring that logs protocol transactions in EVE JSON format for forensic analysis.

Developed by the Open Information Security Foundation (OISF) with early backing from the US Department of Homeland Security. Active since 2009, widely deployed across government, enterprise, and industrial environments.

Key features

• Multi-threaded engine — distributes packet capture, decoding, and detection across CPU cores. Handles 10+ Gbps on commodity hardware when tuned.
• 20+ protocol parsers including HTTP, TLS, DNS, SMB, plus industrial protocols: MQTT, Modbus, DNP3, EtherNet/IP
• Snort rule compatibility — use existing Snort community and commercial rule sets without conversion
• IDS and IPS modes — passive monitoring or inline blocking via AF_PACKET and Netfilter/NFQUEUE
• EVE JSON output — structured logs that feed directly into Wazuh, ELK, Splunk, or Grafana
• Lua scripting for custom detection logic beyond standard rules
• Automatic protocol detection on non-standard ports
• File extraction from HTTP, SMTP, FTP, NFS, and SMB streams

What Suricata does for OT networks

OT networks were designed for reliability, not security — flat segments, legacy protocols, air-gap assumptions that no longer hold. Suricata is one of the few open-source IDS engines with built-in parsers for industrial protocols.

The MQTT parser catches anomalies in IIoT message buses. Community rule sets from CyberICS and NSA/CISA EliteWolf provide OT-specific signatures for Modbus function code abuse, unauthorized DNP3 commands, and suspicious traffic patterns between network zones.

That said, Suricata is a general-purpose network IDS that happens to support industrial protocols — it's not an OT-specific product. Most of its 20+ parsers are IT protocols (HTTP, TLS, DNS, SMB). The OT coverage is real but narrower than dedicated ICS security tools.

Getting started

Hardware: 4+ CPU cores, 8 GB RAM minimum for production. SSD recommended for log volumes. You need a SPAN port or network TAP to mirror traffic to the Suricata sensor.

Rule tuning is where the real work is. Out-of-the-box rules generate false positives, especially on industrial protocols that reuse common ports. Budget 2-4 weeks to tune for your environment before trusting alert quality.

Technical specs

• C engine, multi-threaded with AF_PACKET and PF_RING support
• GPL-2.0 license
• 6,104 GitHub stars, 1,674 forks, 308 contributors
• Active since 2009, backed by OISF
• Major version releases roughly annually

Limitations

• Rule tuning is not optional. The default rule sets are noisy, and industrial protocols trigger false positives until you invest time customizing thresholds and suppression lists for your specific network.
• No GUI management interface. Configuration is YAML files and command-line. SELKS or SecurityOnion add a management UI on top, but vanilla Suricata is terminal-only.
• Resource consumption scales with throughput and rule count. A busy 10 Gbps link with 30K rules needs serious hardware — 8+ cores and 32 GB RAM.
• IPS inline mode adds latency. Many OT deployments start with IDS-only monitoring and only enable inline blocking on non-critical segments where the risk of dropping legitimate traffic is acceptable.
• OT protocol coverage is real but limited compared to commercial ICS security products. Modbus, DNP3, and MQTT are supported; proprietary PLC protocols (S7, EtherNet/IP deep inspection) are community-contributed and less mature.