Skip to content

Optimizing Traffic for Suricata Deployments

Ultra-Scale Packet-Flow Traffic Optimization Built for Cyber Security Requirements

What Is Suricata?

Suricata is a powerful open-source security tool that combines high-performance threat detection, intrusion detection, intrusion prevention, network security monitoring and packet capture capabilities.

Since network traffic represents an essential vantage point to identify emerging threats and active intrusions, the Suricata Network Sensor is at the heart of any successful deployment.

Impaired Sensor performance can lead to critical gaps in network visibility, which can result in attacks going undetected – enabling them to dwell longer and propagate deeper across the network.

The Challenge: Massive Network Traffic Volumes

The speed and velocity of network traffic has grown by many orders of magnitude and will continue to grow exponentially. One hour of network traffic on a single 100G link can reach 45 terabytes. This traffic growth strains most security platforms.

The challenge is that not all network traffic flows are created equal. Some traffic, such as encrypted traffic, cannot always be analyzed, while some other traffic types are less likely to contain indicators of malicious activity and are not useful to monitor.

Optimize Network Traffic to Scale Suricata Capacity

Inspecting every packet against thousands of attack signatures for hundreds or thousands of concurrent flows requires significant processing resources. Even with Suricata’s bypass capabilities, the Suricata Sensor is easily overwhelmed by the massive amount of traffic to monitor and analyze.

But not all network traffic needs to be analyzed.

NetQuest helps maximize Suricata Sensor performance by offloading irrelevant traffic and only delivering high-value traffic for analysis. Intelligent traffic optimization reduces unwanted packets from reaching the Sensor and storage layers and will significantly increase the scale and capacity of the Suricata Sensor and other packet collection tools.

Optimize Your Suricata Solution

To extend the capacity of your
Suricata Sensors, it is important to
focus traffic collection on the
Packet traffic that matters.

Download Solution Brief

Improve visibility and accelerate threat
detection

Increase traffic
retention time for historical analysis

Extend visibility
points to more
places

How NetQuest Packet Services Broker Helps

The NetQuest Packet Services Broker brings significant value to Suricata deployments by intelligently assessing, conditioning, and optimizing network traffic to automate the delivery of only relevant, high-value packets to the Suricata Sensor.

A single Packet Services Broker can support multiple Suricata Sensors and provides the density, performance and packet optimization capabilities needed to inspect and optimize Petabytes of network packets per hour for both clear and encrypted traffic.

Learn More
Speak To An Expert

Multi-Terabit, Wire-
Speed Intelligent Packet
Optimization Services

Optimize Suricata Resources and Increase Sensor Scale

Deliver Only Relevant Packets for Analysis
and Storage

Eliminating low-value packet traffic improves Suricata Sensor efficiency and delivers immediate operational value

  • Deliver only high-value packets to the Suricata Sensor eliminating the processing burden for low-value traffic
  • Optimize specific flow-types, such as encrypted or streaming traffic to improve Sensor Performance
  • Remove unwanted packet elements to improve traffic ingest efficiency and meet privacy and compliance requirements
  • Header stripping and protocol de-encapsulation makes packets easier to ingest and analyze in Suricata
  • Reduce storage requirements and increase packet retention times

Reduce Unwanted Network Traffic by 80% or More

Intelligent packet optimization can reduce monitored network traffic volumes by up to 80% or more without compromising the integrity and value of the network traffic to be analyzed.

Packet optimization frees up valuable Sensor and NIC resources from assessing every packet crossing the wire enabling the Suricata Sensor to focus on analyzing the traffic flows that matter.

Traffic optimization means fewer Sensors are required. This reduces instrumentation costs and optimizes rack space utilization while enabling more pervasive visibility.

Schedule a Demo
To Learn More

Key Capabilities

Ultra-Scale Traffic Filtering

High-capacity, real-time traffic policy engine performs advanced traffic classification and filtering services for all traffic before it reaches the Suricata Sensor:

  • Flexible policies forward high-value traffic to Suricata Sensors and discard low-value traffic
  • High-scale IP prefix lists enable precision traffic prioritization for services, IP addresses, and CIDRs
  • Change filtering rules on-demand to adapt to traffic characteristics, and new threat activity

Encrypted Traffic Optimization

Automatically recognize encrypted packets and apply automated actions to optimize traffic for delivery to the Suricata Sensor without slow and expensive decryption:

  • Recognize and optimize encrypted packets
    such as SSH, TLS and QUIC
  • Forward headers and handshake packets
    and discard encrypted payloads
  • Drop low-value encrypted traffic based on
    IP Prefix list or service type

Optimize Streaming Services

Recognize and optimize streaming services traffic, such as voice
or video:

  • Drop streaming services packets
  • Forward only session set-up packets and drop content payload packets
  • Optimize other known types of traffic like large flows, or between trusted hosts or applications
Learn More

IPFIX Flow Metadata Generation

Generate 1:1 unsampled IPFIX metadata from the same optimized packet traffic to support multiple monitoring platforms and use cases:

  • Standard layer 2/3/4 NetFlow-like metadata
  • Enriched metadata with layer 4-7 application, protocol, and encrypted traffic details
  • Reduces TCO and operational complexities from managing multiple probes and sensors
Ready to Dive Deeper? Download our Technical White Paper

Scaling Traffic Monitoring Coverage

A single Packet Services Broker can receive traffic from many TAP or SPAN observation points and can deliver and load balance the conditioned packets to one or many Suricata Sensors to scale monitoring capacity.

  • Optimized packet traffic from multiple slower-speed links can be aggregated, optimized, and delivered to a single Sensor
  • Traffic from higher speed 100G links can be optimized and delivered to a single or multiple Sensors to scale ingest capacity
Contact Us To Discuss
Your Requirements

Suricata Deployment Examples

High-Speed Link
Into a Lower Speed Sensor

Monitor multiple links and deliver optimize
traffic to a single Suricata Sensor.

Multiple Low-Speed Links
Into a Single Sensor

Monitor multiple lower speed links and feed
optimized packet traffic into a single Suricata Sensor.

Multiple Links into
Multiple Sensors

Monitor multiple high-speed links and optimize
and load balance the packet traffic into multiple
Suricata Sensors at scale.

Expand Coverage with
East-West Traffic Monitoring

Cyberattacks use lateral movement to infiltrate as many
devices as possible. Expand visibility to more places by optimizing East-West traffic and deliver only relevant
packet traffic to Suricata Sensors.

Deliver Optimized Traffic to
Multiple Upstream Security Tools

Support multiple security use cases and deliver optimize
traffic to Suricata Sensors and multiple security tools
and packet capture devices to reduce CapEX and TCO.

Ready to see what’s possible with NetQuest?

Speak To An Expert

Resources

Optimizing Traffic Monitoring for Suricata to Increase Scale and Capacity

Read More

Network Traffic Optimization Considerations for Suricata Deployments

Read More

Packet Services Broker Product Brief


Read More

Scaling Suricata for Enterprise Deployment

Courtesy of

Read More

Security Analysts' Guide to Suricata

Courtesy of

Read More

Network Traffic Optimization Considerations for Optimizing
Suricata Deployments

The complexity and volume of today’s network traffic continually challenges the collection and ingest of high volumes of network traffic to extract critical intelligence.

This Technical White Paper from NetQuest examines these challenges and outlines practicable approaches to intelligently identify and deliver only relevant and monitorable traffic to the Suricata Sensor to optimize capacity, streamline analysis, and extend historical forensics capacity. Optimizing traffic can reduce instrumentation costs and remove the barriers to expanding visibility for critical observation points, such as East-West network links.

Download our Technical Whitepaper now to learn how NetQuest can bring significant value to your Suricata deployment to help scale Suricata performance.

Please provide the information to the right, and we will send you an e-mail to access this document.















NetQuest uses the information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. 

Complete form for access to
Stamus White Paper

You will receive via email shortly upon completion to access content















Complete form for access to The Security Analyst’s Guide to Suricata

You will receive via email shortly upon completion to access content