Threat Detection: Suricata IDS Integration

Overview#

Connect Suricata network sensors directly to Argus and turn raw EVE JSON alerts into correlated, analyst-ready threat events without manual pivoting between tools.

Argus integrates with Suricata, the high-performance open-source Intrusion Detection and Prevention System maintained by the Open Information Security Foundation (OISF). EVE JSON alert logs produced by Suricata sensors are ingested directly into Argus, normalised into structured alert records, and made available for cross-correlation with threat intelligence feeds, MISP indicators, and Sigma rule matches. This closes the loop between network-level detection and the broader operational intelligence picture, transforming network telemetry into actionable security events. A critical infrastructure operator using this integration identified a pattern of low-frequency DNS queries to an algorithmically generated domain, originating from an OT historian server, within 48 hours of connecting their Suricata sensors. Cross-correlation with MISP indicators from a sector-specific ISAC confirmed the traffic matched a known ICS-targeting threat actor's command-and-control profile. The same outcome would have required manual pivoting across four separate tools without the automated correlation layer.

Key Features#

• EVE JSON Batch Ingestion: Submit raw EVE JSON log lines in batches. Argus parses and normalises alert, dns, http, tls, flow, and fileinfo event types into structured threat signal records capturing signature ID, rule name, severity, source and destination IP and port, protocol, category, and action. Rule-name-based deduplication prevents alert floods from a single repeated signature overwhelming analyst queues during active attack phases.
• API Polling: For deployments where Suricata exposes its local REST API, Argus polls the endpoint on a configurable interval to retrieve new alerts. Both push-based (log file / log shipper) and pull-based (API polling) deployment patterns are supported, accommodating centralised log aggregators and edge-deployed sensors in remote or air-gapped environments alike.
• Alert Inventory and Cross-Correlation: Query the full alert inventory filtered by signature ID, severity, source IP, or time range. Suricata alerts can be cross-referenced against MISP indicators and Sigma rules so that network-level IDS signals confirm or extend threat intelligence feeds. This correlation capability is especially valuable during threat hunting, where accumulated alert history provides the raw material for identifying low-and-slow attack patterns that real-time alerting misses.
• Clearance-Aware Alert Access: Alert records carry classification labels (UNCLASSIFIED through SECRET) enabling multi-level network monitoring. Traffic from classified network segments can be ingested with higher classification labels, restricting visibility to analysts holding the appropriate clearance. This directly supports coalition and national-security network monitoring scenarios where sensor telemetry from classified segments must remain isolated from lower-clearance analyst views.
• Full Audit Trail: Every EVE batch ingestion and API poll cycle generates a structured ingest audit record, providing a complete log of all data flowing into the platform from network sensor sources.

Use Cases#

• DMZ and Perimeter Monitoring: Ingest Suricata alerts from perimeter sensors and correlate hits against MISP threat actor indicators of compromise to identify targeted intrusion attempts in near-real-time, giving the SOC immediate context that transforms a raw signature hit into an attributed threat event.
• Threat Hunting: Query accumulated Suricata alert history to hunt for low-and-slow lateral movement patterns that signature-based alerting missed in real time. Historical alert data becomes a structured, filterable dataset analysts can interrogate with precision.
• Malware Command-and-Control Detection: Feed Suricata rulesets covering known C2 communication patterns (Emerging Threats, ET Pro, or custom rulesets) and surface confirmed C2 activity directly in the Argus incident timeline, accelerating containment decisions.
• OT and ICS Network Monitoring: Deploy Suricata sensors at the boundary between corporate IT and operational technology segments to detect anomalous behaviour, lateral movement, and known ICS-targeting signatures without disrupting operational processes.
• Multi-Domain Coalition Operations: Aggregate alerts from sensors deployed across network trust levels and enforce classification-based access control across the combined dataset, supporting multi-domain operations without co-mingling intelligence across classification boundaries.

Integration#

Suricata alert data is accessible via GraphQL. Queries cover alert listing filtered by signature, severity, source address, and time range, as well as aggregate statistics. Mutations support EVE JSON batch ingestion and API polling configuration. All operations require OAuth 2.0 / JWT authentication and are scoped to the requesting organisation's tenant.

Argus is compatible with Suricata 6.x and 7.x EVE JSON output format. The integration works alongside the Sigma detection rule management module, the MISP indicator cross-referencing module, and the SIEM Connector module for forwarding normalised alerts to downstream SIEM platforms.

Sensors can deliver data via any standard log shipping mechanism (syslog, file tail, Filebeat, Logstash, Fluent Bit) or by enabling the Suricata local REST API for direct polling. No proprietary agent is required.

Open Standards#

• Suricata EVE JSON, native structured log format produced by Suricata; Argus ingests all EVE event types (alert, dns, http, tls, flow, fileinfo) without transformation by the customer.
• Suricata Rules format, compatible with Suricata-native rule syntax, including open rulesets such as Emerging Threats Open and ET Pro; rules are referenced by signature ID and category in normalised alert records.
• MISP core format, normalised Suricata alert fields (IP, port, domain, signature) are cross-correlated against MISP attributes and objects ingested from threat intelligence feeds.
• Sigma, network-layer alert records can be overlaid with Sigma detection logic to extend coverage beyond Suricata's own ruleset using a vendor-neutral detection language.
• OAuth 2.0 and JWT (RFC 7519), all platform API operations, including alert ingestion and query, require bearer tokens issued via the standard OAuth 2.0 authorisation flow.
• GraphQL (June 2018 specification), the alert query and mutation surface is exposed over a typed GraphQL API, enabling precise field selection and composable queries across alert history.
• ISO 22301 (Business Continuity), the full ingest audit trail supports continuity and incident-response obligations requiring evidence of all data flows into the security operations platform.
• NATO STANAG classification markings, alert records carry classification labels aligned with NATO STANAG marking conventions, enabling multi-level security enforcement across coalition deployments.

Security & Compliance#

All alert records are organisation-scoped and access-controlled at the API layer; a user can only retrieve alerts belonging to their own tenant. Classification labels on individual alert records enforce need-to-know access for environments operating at multiple classification levels. The complete ingest audit trail ensures that all data entering the platform from external sensor sources is logged in an immutable, timestamped record, satisfying regulatory requirements for audit evidence in security operations and critical national infrastructure contexts. No raw EVE data is exposed outside the tenant boundary.

Last Reviewed: 2026-03-18 / Last Updated: 2026-04-14