IDS Threat Detection (Suricata)

TracePcap integrates Suricata as an offline, signature-based intrusion detection engine. It runs as a Stage 3 enrichment pass alongside nDPI and tshark, surfacing rule-based threat alerts next to each conversation so that known-bad traffic patterns are flagged automatically.

Unlike a live IDS sensor, Suricata here runs in offline pcap-read mode (suricata -r) over each uploaded capture — there is no live interface tap and no network egress. The Emerging Threats Open ruleset is bundled into the backend Docker image at build time, so detection works fully offline with no runtime rule downloads.

How it works

  1. After packet parsing and nDPI classification, Suricata reads the PCAP and evaluates it against the bundled ruleset.

  2. Alert events from Suricata’s eve.json output are parsed and mapped onto the conversations they belong to.

  3. Matching alert signatures are stored on each conversation and counted into a security-alert total shown across the UI.

Suricata is gated independently of nDPI — it has its own per-file toggle, so you can run one without the other.

Enabling Suricata

Suricata detection is selected per file at upload time:

  • In the upload analysis-options modal shown after file selection, tick “Suricata IDS threat detection”. It is off by default because it adds significant processing time.

  • The same toggle applies when merging PCAPs.

A deployment-wide kill-switch, SURICATA_ENABLED (default true), can disable Suricata for every upload regardless of the per-file choice — set it to false to skip IDS analysis across the board. See Environment Variables.

Note

Suricata adds meaningful processing time to analysis. Leave it off for quick triage and enable it when you specifically want signature-based threat detection on a capture.

Viewing IDS Alerts

IDS Alerts appear wherever conversations are shown:

  • Conversation list — a purple IDS Alerts column shows the matched signatures as badges (long labels are truncated with a tooltip).

  • Conversation detail — the full list of alert signatures for that conversation.

  • Security alert count — Suricata matches contribute to the per-conversation security-alert total alongside nDPI risk flags.

  • CSV export — the suricataAlerts column is included in conversation CSV exports.

Filtering by IDS Alert

The conversation filter panel has a searchable IDS Alerts facet. Pick one or more alert signatures to show only conversations that matched them. The available values are populated from the distinct alerts present in the current file, so the list reflects what was actually detected.

Offline Operation

Suricata fits the project’s offline requirement (see Offline / Air-Gapped Deployment):

  • The Suricata binary and the Emerging Threats Open ruleset are baked into the backend image at build time.

  • No rules are fetched at runtime and no telemetry leaves the host.

  • The ruleset version is recorded in the image (/opt/suricata-ruleset-version). To refresh the rules, rebuild the backend image.