I’m excited to share some big news! We’ve just rolled out a massive update to DetectionStream, and it’s one that I had planned to add for a while: full Suricata integration.

Why Suricata?

It hasn’t been that long, but the feedback I’ve received for DetectionStream has been overwhelmingly positive. People love the tool for working with detection rules, but it was primarily focused on endpoint and log-based detections with frameworks like Sigma and YARA. I wanted to expand and show some love to the network-based detections, and Suricata was the obvious choice.

Suricata is an open-source powerhouse for network intrusion detection (IDS), and by bringing it into the DetectionStream family, we’re giving you a single platform to search for and manage Suricata rules.

What’s Included in the Update

1. The Complete Emerging Threats Ruleset

We didn’t just add Suricata support; we went all in. DetectionStream now comes pre-loaded with the entire Emerging Threats Open ruleset, which is over 45,000 rules! This means you have a massive library of network-based detections at your fingertips from day one, ready to be searched, analyzed, and deployed.

2. Create and Share Your Own Rules

Of course, you’re not limited to the pre-loaded rules. You can now create your own Suricata rules directly within DetectionStream. Whether you’re crafting a quick rule for IOC scanning on exported PCAPs or building custom detections for your environment, you can write, test, and save your rules all in one place.

And because community is at the heart of what we do, you can also share your rules with others!

3. The Suricata Playground: Test Your Rules in the Browser

This is the part I’m most excited about. I’ve built an interactive Suricata Playground that lets you test your rules against PCAP files directly in your browser. You don’t need to set up a local Suricata instance or spin up a lab environment (with a caveat, more on that below).

How it works:

1. Write or paste your Suricata rule into the editor.
2. Upload a PCAP file containing network traffic.
3. Run the simulation and see if your rule triggers any detections.

It’s a simple, fast, and private way to validate your rules. All the parsing and matching happens on the client-side, so your PCAP files never leave your browser.

A Deeper Dive into the Playground’s Methodology

I want to be transparent about how the playground works under the hood. Instead of running a full Suricata engine on a server, we’ve built a lightweight Suricata simulator in TypeScript that runs entirely in your browser. This approach has some significant benefits, especially for privacy and instant feedback.

When you upload a PCAP, it’s parsed on the client-side, and our simulator mimics Suricata’s signature matching logic for stateless rules. It supports common protocols like TCP, UDP, HTTP, DNS, and TLS, and keywords such as content, nocase, http.uri, dns.query, and tls.sni.

To ensure that the rules are effective and not just lazy (e.g., alert ip any any -> any any), we’ve implemented a system we call "Explicit Packet Targeting."

Here’s how it works for the upcoming challenges: when a challenge is created, we run the solution rule and record exactly which packets in the PCAP should trigger an alert. When you submit your rule, it must alert on that exact set of packets — no more, no less. This ensures that your rule is precise and doesn’t generate false positives.

A Quick Note on Limitations:

To make this client-side simulation possible, we had to make some trade-offs. The playground is designed for quick validation of stateless, content-driven rules. It’s perfect for checking if your basic patterns and content matches are working as expected.

However, it doesn’t support more advanced, stateful features like flowbits, pcre, or byte_test. For those, you’ll still want to validate your rules on a full Suricata sensor. We believe the playground is a powerful assistive tool that will speed up your workflow, even with these limitations.

What’s Next: Suricata Challenges

We’re not stopping here. Soon, we’ll be introducing Suricata Challenges to the platform. Just like our Sigma challenges, you’ll be able to test your skills by writing Suricata rules to solve real-world scenarios, compete on the leaderboard, and earn bragging rights.

The same “Explicit Packet Targeting” methodology will be used to validate your challenge submissions, ensuring a fair and competitive environment that rewards precision and accuracy.

Want to try it out now? I’ve created a sample challenge for you to get started. Give it a shot and see if you can write a detection rule that passes the validation:

👉 Try the Sample Suricata Challenge

Give It a Try!

This update is all about empowering you to build better network detections and to learn and experiment with Suricata along the way. I’d love for you to jump in, explore the new features, and let me know what you think. Your feedback is what drives this platform forward.

Check out the new Suricata integration here: http://detectionstream.com/suricata

As always, thanks for being part of this community! 🙏