Josh discusses Suricata with Victor Julien, the founder and lead developer of the Suricata project. Victor explains the history of Suricata, its impact on cybersecurity, and the community that keeps it all running. Challenges like encrypted traffic and the evolution of open-source projects. Victor even gives us a glimpse into what he sees as the future of the project. There’s a lot to learn about Suricata in this one.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, open source security is talking to Victor Julian, the founder and lead developer of Suricata. Victor I’m very excited to have you here. So I guess start, why don’t you tell us who you are and let’s start with what is Suricata?
because it is an amazing project.
Victor Julien (00:15) Thank you, thank you for having me.
⁓ So, yes, my name is Victor Julian. I’m from the Netherlands. I’m currently in Amsterdam in the Netherlands. ⁓ I’m leading the development team of Suricata ⁓ for the OISF the foundation that governs and funds Suricata development. ⁓ I’m a Dutch citizen and so I’ve been born and raised here in the country ⁓ many, many years ago together with two others from the US.
⁓
Matt Jonkman and Will Metcalf We ⁓ got this idea that we could build our own IDS-IPS engine which at the time didn’t have a name yet but we got together and started sort of dreaming about how we might be able to do that. ⁓ And ⁓ we were very lucky we got funding through DHS in the US ⁓ and
So we set up this foundation to govern the technology and the development process. And we had seen some examples of open source that was very successful, but was sort of acquired by big companies. And so we wanted to see if we could set it up such that we would protect it against this kind of sort of takeover or, well, I don’t know if that’s the correct word, but
protected against this corporate influence. So we set up the foundation to really work with the community and that’s now, I think 15 years ago or so. I think we’ve done pretty well. ⁓ Of course my role is mostly on the technical side.
tell everyone all the time that on the technical side I’m never happy, ⁓ never satisfied. My list of things that I want to improve is always so long. ⁓ But yeah, we’ve been doing, ⁓ I think, quite interesting work and so quite happy so far.
Josh Bressers (02:22) Yes, it’s interesting for sure. So, I mean, I don’t even know where to start on this one. I guess let’s not dwell on the past too much, but I will say like back when Suricata was created, you’re right. There were a bunch of open source projects that all were acquired by a company or something happened to them. And I feel like Suricata has emerged as the kind of unquestioned open source project in the space of, know, network IDS and IPS.
So, mean, well done there. have no doubt the foundation set up you created is what has made that possible. And obviously as a human existing in this mess of everything, like I’m glad it’s there, but okay. So tell us what is Suricata for anyone who might not be familiar with the project
Victor Julien (03:08) Yeah, so I think at its heart, Suricata is a network IDS ⁓ and IPS engine, which for us means we’re capturing traffic.
Josh Bressers (03:19) Okay, let’s hold on. What is IDS and IPS
for anyone unfamiliar with those terms?
Victor Julien (03:22) sure
intrusion detection system ⁓ or intrusion prevention system. Although I’ve always little taken a bit of ⁓ issue, I guess, with with the S there, the system, because I think Suricata is more like an engine that’s part of a bigger system. And for most people, not the whole thing that they use. Right. So it’s more like the engine in your car and not the car itself. ⁓ And so what is
it sniffs your traffic or it sits in line in your traffic, tries to make sense of it, rebuilds a ⁓ state of sort of the talkers on your network, tries to rebuild the state in terms of TCP, in terms of HTTP, DNS and all that kind of ⁓ stuff. And then it has ⁓ a rule language that is ⁓
essentially a signature language, and that you can apply those signatures against that traffic and raise alerts. ⁓ But in addition to that, Suricata can provide a very rich stream of metadata that you can then feed to your post-processing pipeline, ⁓ things like ⁓ your ELK Stack or other. ⁓
tools where you can do sort of higher level analysis and visualizations and all that. But Suricata is not a visual tool itself, just, essentially it reads packets and it produces JSON, that’s kind of what it is today. ⁓
Josh Bressers (05:03) Sounds so simple when you say it that way. Yeah, and-
Victor Julien (05:07) Conceptually
it is. The devil is in the details obviously.
Josh Bressers (05:09) No, it is not simple. I’m
very familiar with this process and it is definitely not simple. yeah, I mean, I’ll say, so I used to work at Elastic and I can think of almost no large environments at Suricata wasn’t there somewhere because everyone would, yeah, they’d stream the data into Elasticsearch and then they create their dashboards and analyze traffic and do threat hunting. And it was amazing, the richness of the data. Okay.
So let’s talk about the kind of signature aspect. Cause you kind of talked about a lot. No, hold on before we do that, I want to ask the question like, so what you just described sounds a little bit like a firewall. How do we, I actually don’t know how you explain this. Like how do you explain the like fire firewall versus Suricata dichotomy?
Victor Julien (06:02) Sure, ⁓ so I think in a sense I see Suricata as three or four different… ⁓
has three or four different modes of operation. The primary one that I think most people are most familiar with is the IDS mode. So you’re sitting on the site, you’re sitting on a span port or a tap, you’re getting a copy of the traffic, you’re passive, ⁓ and the sensor analyzes the traffic, produces alerts and other data ⁓ that you can then act on.
⁓ Then the other quite common mode is IPS mode. in IPS mode, we’re essentially doing the same thing, but now we’re inline and we can make policy decisions based on the rules. We can say this traffic is allowed to pass, this ⁓ should be blocked. the way I describe it, in IPS mode, we are open by default and we have a rule set that selectively drops things based on signatures of
malware
And then in the last version that we released, we also introduced what we call firewall mode, which is essentially the reverse of the IPS mode. So we start with a default drop policy, nothing passes, and then you have to create a rule set like typical firewall, like your IP tables or NF tables, ⁓ and start allowing traffic to pass through. so that’s sort of the three main modes. And then guess the fourth is sort of offline.
analysis of pcap files, which is used quite a lot as well. ⁓ So what we see, for example, the IPS mode is used in tools like ⁓
OPN sense and PF sense where it augments ⁓ a regular firewall rule set like the freeBSD firewall tooling that is being used in those tools but then selectively traffic can go to to ⁓ to Suricata for deeper inspection essentially.
Josh Bressers (08:12) And let’s talk about deeper inspection because now this is one of the really cool things I think is Suricata has the ability to like peer into packets and really extract interesting information about whatever is happening. Right. Cause when we think of firewalls, it’s often like this IP address, this port, and that’s kind of where we’re done now, but that’s not what Suricata does. Right.
Victor Julien (08:35) Correct. Yeah, so first of all, we can just inspect the raw stream, which is least interesting, but you can just kind of do a network grep kind of thing, right? And just see like, does this pattern.
appear in the wire, yes or no. But more interestingly, what we do is we call this app layer parsing. Essentially, this is the layer of HTTP, HTTPS, DNS, and SMB and all that, where we sort of decode as much as we can from that protocol and extract files from it and meaningful hashes and logs. And so it goes much deeper than the
for ports and things like that. Which also of course means that it’s quite costly to do it because ⁓ we’re processing a lot more than just packet headers but also actual content data.
Josh Bressers (09:34) And what about encrypted traffic? What happens if I have encrypted traffic?
Victor Julien (09:37) Right.
So I think encryption is a very interesting challenge for tools like Suricata because it’s definitely a good thing that encryption happens, of course. ⁓ But sort of years ago when there was less encryption, you would have a lot more visibility. ⁓ Of course, there are many ways to still deal with encrypted traffic. So ⁓ the first thing is…
with the older TLS versions, can still look at certificates and stuff. ⁓ You have the hashing like JA3 and JA4, where you can sort of fingerprint connections. ⁓ And then there is ⁓ quite a bit of tooling that allows you to decrypt traffic. ⁓ Suricata itself will not decrypt your traffic, but it will work.
that can then produce an unencrypted stream. ⁓ And then lastly, the thing that we are working on quite a bit lately is, ⁓ Suricata is a tool, but we’re exposing more and more of the functionality in a library. And the idea there being that this library could be hooked into other tooling ⁓ before ⁓ the encryption, the traffic is encrypted. ⁓ And we have
seen open source users of this, we are aware of a few commercial users of this. So this is another way ⁓ of dealing with encrypted traffic.
Josh Bressers (11:13) For sure. Okay, so I had not put this together in my brain before, but yes, when Suricata was created back in what, 2008, 2009, unencrypted web traffic was very, very common. In fact, it was almost certainly more common than encrypted traffic. Oh man. Wow. What a wild change to have to go through.
Victor Julien (11:27) Yes, absolutely. Yep.
Absolutely, yes. And of course there is still a whole lot of traffic, which not so much on the internet, ⁓ for example we just last November did Suricon, our annual user conference and ⁓
things that we talk about with the community is sort of well brainstorm with us about what the roadmap should look like for development and there was a lot of interest expressed in OT networks so in just industrial protocols and ⁓ yeah encryption in those kind of protocols is is mostly missing ⁓
even basic security features are missing. ⁓ So there are still very large parts of networks that are not encrypted and probably also will not be encrypted anytime soon. So even if the internet is mostly encrypted, the local networks are much less so.
Josh Bressers (12:09) yeah.
man, yeah, I guess I hadn’t thought of that part either, but yes, in the IoT universe, it’s a mess. will be my polite explanation of that.
Victor Julien (12:38) Yeah.
It is quite messy, Also with the OT networks where the life cycles of equipment is so much longer than in…
Josh Bressers (12:49) Yes.
Victor Julien (12:53) consumer and small business world.
Josh Bressers (12:57) So OT for anyone who doesn’t know that’s operational technology. It’s kind of the IOT universe and this whole space, like you mentioned, it’s not like consumer devices. And this is something as an IT person I struggle with because in my world, what like three years and we’re talking about deprecating hardware.
And in like factory settings and IOT settings, there are machines that have been running for 20 years and are going to run for 20 more years. And, and I know everyone’s like, don’t hook it up to the internet, but we always hook it up to the internet. Like it’s almost inevitable, I think. so teaching Suricata to understand these things is very cool actually. So let me ask you about that. So in my brain, and this is, I do not have a deep understanding of a lot of this. So we’re going to talk about like writing rules and things in just a moment, but
Wouldn’t I already support this by just writing some rules that look for whatever like IOT traffic I’m expecting or is there something more to this than just that?
Victor Julien (13:54) So in general, ⁓ the rule language is generic enough that you can express most things ⁓ in a generic way in the rule language. But what we’ve learned is that for various reasons, it’s better to have protocol decoders for those specific protocols, like a modbus, for example, or ⁓ there’s a whole ⁓ suite of them. ⁓
This is usually better for accuracy but also for performance because just inspecting all the traffic for some pattern that may or may not be some kind of operation on a… ⁓
ICS protocol is quite expensive. if we can sort of first detect that we’re talking about Modbus and then sort of parse the protocol so that we know exactly what bit and byte it means, like some kind of operation, then it’s much better for both accuracy and performance.
Josh Bressers (14:52) Okay, that’s fair. And
if I’m writing rules, my rule becomes much simpler if the protocol has been decoded. Okay, that makes sense. Okay, okay, I like it. right, so rules, let’s talk about rules. Like rules I feel like are the heart and soul of the whole Suricata universe.
Victor Julien (14:59) Yeah, absolutely.
Yes, I think they’re very important, although I think we’ve also seen a lot of people not really use many rules or rules at all. ⁓ think about, well, when was it when everyone got excited about the ELK stack ⁓ some years ago? There was also a big shift on our end to produce much more metadata because people got really excited about post-processing it and sort of getting the value ⁓ more.
in the post-processing and less in the alerts. But yes, rules are very important. There are various rule vendors in our space. We have one big rule set, the emerging threats rule set, which is an open source rule set where you have thousands of rules that you can…
using your sensor to look for all kinds of bad activity essentially. ⁓ And there’s ⁓ quite a big community of rule writers. They are a little bit outside of our project. We’re more like the plumbers that built the engine and the other, ⁓ sort of the analysis and…
threat hunting and rule writing community is sort of adjacent to us I suppose. we are, so OISF itself is not providing a rule set, ⁓ we are just ⁓ providing you with the engine and you can pick a rule set that you like.
Josh Bressers (16:44) I mean, I think that’s the magic of open source though, right? Is the fact that you don’t have to own everything happening. feel like if I’m an open source project, especially the kind of project like Suricata, having another community of people that exists and you have nothing to do with necessarily that is writing the rules. Cause I mean, from my perspective, I see like, follow like a lot of Infosec nerds on Mastodon, for example, and a bunch of them talk about Suricata, writing Suricata rules all the time. And it’s very…
I love it. And I know they’re not technically part of Suricata, right? From a development perspective, but that’s still an amazing way to contribute to the community, which is like, that is open source, right?
Victor Julien (17:23) Yeah, that gets me really excited as well. If that all kind of comes together and it works, that’s really great. I’m super grateful to be sort of part of that community and help sort of help thrive it, I guess.
Josh Bressers (17:26) Yeah, yeah.
Yeah.
Yes, it’s, it is. I feel like if I was, mean, I don’t run any large open source projects. have a GitHub, you know, filled with half dead things, but it like, let’s talk about that for a moment. Cause I think we often don’t discuss like the challenges and what it’s like to run a, we’ll say a large successful open source project. mean, you know, know you mentioned
Victor Julien (17:47) Yeah
Josh Bressers (18:03) I think we hit record when you’re, I can’t remember if this was before or after, but you mentioned though, you have like this huge list of technical things you want to work on, right? But as someone who’s maintaining a large open source project, I have a suspicion working on technical things is not your primary job anymore, is it?
Victor Julien (18:10) Mm-hmm.
I think actually probably mostly still is like maybe about 50 50 I managed the team and other sort of non development ⁓ things and then the other time I can still spend on actual development. So I’m still quite happy with that. We shouldn’t grow too much so that I can stay in my happy zone. I think one of the things that many open source projects are struggling with is lack of funding and ⁓
Josh Bressers (18:22) Yeah?
Okay, okay.
Nice.
Yes.
Victor Julien (18:48) sort of, and so lack of time essentially. And years ago when Heartbleed happened with OpenSSL and everyone realized that the whole internet worked on OpenSSL.
SSL and these people could barely sustain themselves. That was very embarrassing for everyone essentially. So from our side, think one of things that we’ve done well with OISF is that we’ve created this organization from the start to work with the industry, work with vendors, ⁓ and so also have the funding to actually just do this full-time and not alone with a team and with ⁓ support.
around
us and with the QA, ⁓ we have QA department and things like that. ⁓ it feels a lot, guess, maybe safer is the word, like that we can actually focus on the developments without having to worry too much about, ⁓ you know, our day job, right?
Josh Bressers (19:56) Yes. That’s a huge
thing. And so for anyone listening who doesn’t know, I talked to Kelley Misata It’s been a long time. It’s been half a year at least, I think. And Kelley is, I forget her title, but she’s basically in charge of the OISF foundation, which I think that stands for foundation. But she goes into all this, like what it’s like to run a foundation and the challenges and fundraising and everything. And I know one of the things that she brought up was just the fact that you have to, you know,
This is people’s livelihoods. have to make sure you can pay them. Right. It’s part of the challenge. You can’t just like, it’s not like running a startup where you just hire as many people as you could possibly afford and hope you get more money next quarter or something. Like it’s, it’s not like that, which is, which is good though. Right. I mean, that makes sense. And it’s also why I think Suricata is sustainable, you know, for what 15 years, which is amazing.
Victor Julien (20:46) Yeah, I agree. And Kelley is doing a fantastic job. Her title is executive director, I think. ⁓ But yeah, so she’s in charge of the organization ⁓ and ⁓ does a phenomenal job of making sure that the lights stay on and we can all, all us geeks can be in our happy zone and geek out. And yeah, so that’s fantastic.
Josh Bressers (20:53) Okay.
Right. Okay.
So let’s talk about the geek part because I don’t want to dwell. The foundation aspect is immensely important, but I’m actually more interested in like, what is it? What does a day look like Victor? Where you’ve got, you know, there’s pull requests, you’re writing code, there’s planning for the future. Like how do you, how do you wrangle all this stuff with an open source project? Because it’s, you know, you’ve got patches coming in from random people. You’ve got
people on your team, might be working on an actual planned feature, like you never know what’s gonna show up tomorrow, right?
Victor Julien (21:37) Mm-hmm. Yep. Yeah. So I guess as you described, there’s a lot going on at the same time. We have a massive list of tickets, for example, like most projects, and I think the list only grows. There is a list of pull requests that we, ⁓ I think we’re staying on top of reasonably well. So our workflow is generally around GitHub. The team… ⁓
contributes or ⁓ pushes code through GitHub just like contributors would. We do public review. ⁓ We have our CI pipelines. so we have this whole workflow there of how the development works. ⁓ Indeed, there’s lots of conversations in the team about ⁓ planning and all that kind of stuff. ⁓
Yeah, so I guess I’m just kind of rambling. We also have the QA, there’s a public part to everything and there’s a private part to everything. ⁓ So most happens in public, essentially everything that can be. ⁓ But in private we have another.
Josh Bressers (22:39) No, no, this is great.
Victor Julien (23:02) sort of ⁓ development environment for private issues if there’s security issues and then there is QA that runs on sort of more sensitive or at least not non-private sort of no private data so there’s a hidden part I guess as well but it’s it’s only hidden because it needs to be we’re as much as possible open in our workflows.
Josh Bressers (23:29) Yeah, yeah. And I mean, I guess the security angle is one I often take for granted, but a tool like Suricata, if you have a security vulnerability, that’s going to be devastating to someone’s infrastructure. It is in the middle of it all.
Victor Julien (23:44) Yeah, it’s usually at some point of privilege and visibility. So we try really hard to make sure it’s ⁓ as safe as we can do. As you may know, Suricata is mostly written in C. It was started ⁓ in C.
about I think six, seven years ago, we started introducing Rust. This was based on a community ⁓ suggestion. ⁓ So at Suricon, I forget which year it was, but Pierre Chiffelier, he’s a French ⁓ contributor to Suricata. He had done a lot of research into safer languages and he so he presented his results. Like he said, there’s this new thing called Rust. It’s great. It’s perfect.
for this type of application ⁓ and I suggest you guys start using it not really expecting that we would actually agree and we looked at what he was doing and we said well this sounds like a great idea and he had this big pull request with it and we said but the problem with this pull request is that it’s far too advanced for our understanding of Rust at this point so essentially what ended up happening is that based on his suggestions we kind of redid most of his work not because it was bad actually it was very
good but it was just too advanced for us to review it and understand it so we started sort of redoing it and learning a
involved with that process as well. And so today I think we’re getting close to 25 % of our codebase being in Rust ⁓ and ⁓ there’s not necessarily a goal that we fully replace C but we do have the goal of ⁓ making sure that all our
handling of untrusted input, which is almost all input, ⁓ is done by Rust eventually. ⁓ And so that’s one of the things, one of the ways that we try to make Suricata safer. Other than that, we do things like fuzzing and ⁓ we have lots of code analysis tools and all kinds of things. ⁓ And then we also have a way to report security vulnerability.
Josh Bressers (25:37) Thanks
Victor Julien (25:57) because we have them just like everyone else. We make mistakes ⁓ and then we’ll handle those as well. ⁓
Josh Bressers (26:05) Yeah,
yeah, for sure, for sure. Okay. All right. We’re kind of, we’re coming to my last couple of questions. And the first one is why the meerkats? Like what’s the story behind the meerkats? I love them, but I’m curious. Like how’d you end up there?
Victor Julien (26:11) Sure.
Ha ha.
Yeah, when we started this whole ⁓ effort, so Matt and Will and I, Matt was at the time also leading the emerging threats project, the rule set, which was at the time still ⁓ just a pure open source effort. Later it became a company and that got acquired and all that. ⁓
⁓ But at the time it was just emerging threats. So the first code that I wrote ⁓ had a code name called vips, which was Victor’s IPS ⁓ That was just but that was that was a temporary name obviously and then enough Yeah It would have been nice ⁓ And then for a while we thought well, maybe we should call it like emerging IP IPS or IDS like more closer to the emerging threats project But at some point we decided we didn’t want
Josh Bressers (26:56) Awesome. It’s a shame it didn’t stick,
Victor Julien (27:13) And then all the open source projects had cute mascots and all these things. So we started looking for a mascot and then we saw the meerkat, which is an animal that is in large groups, mobs as they are called, and they’re always on guard and all that.
felt like fitting. And then we looked up the Wikipedia page and it’s like, Suricata, Suricata. And it’s like, could Suricata be the name? And it’s like, kind of felt right. And that’s how we selected the name.
Josh Bressers (27:47) that’s awesome. Good.
Cool. It’s, I love asking this question because you never know what you’re going to get. sometimes, like your explanation has a logical path to it. And oftentimes it’s like, we just made it up. Cool. All right, man. So, so I could, I could ask you like a million questions, Victor, but I don’t want to just because I know your time is valuable, but let’s, let’s say for anyone listening who might be interested in maybe using Suricata or getting involved in Suricata or kind of wanting to know what’s next. I know there’s
Victor Julien (28:02) Yeah.
Josh Bressers (28:20) There’s a commercial entities, there’s, opportunities for them to, you know, join OISF and get involved in things like that. So why don’t you kind of lay out for us, like what’s next for anyone listening? What, what, what, what should we do after we’re done, you know, with this podcast episode?
Victor Julien (28:36) Yeah, well, if you haven’t used Suri yet, ⁓ just go to our website or to the YouTube channel if you want to learn more. ⁓ If you’re already a user and you want to connect more with the community, then there’s a Discord server. ⁓ And of course, every year we do Suricon, the user conference. If you’re able to travel and meet the team in person, that’s great. We just had it last year in… ⁓
in Montreal and Canada. Next year we’ll be ⁓ in Lisbon, in Portugal. ⁓ So that’s a great way to connect both with the team and with the community. ⁓ If you’re more a or you want to contribute documentation, then you can look at coming to our GitHub and we have lots of documentation about how to contribute ⁓ and through the chats we can help you sort of with that process.
⁓ Yeah, I think that’s all great starts and we’re happy to get newbies and advanced users. Everyone is welcome. We all started as a newbie, so ⁓ everyone has to learn ⁓ and start somewhere. It’s a fairly complex tool and ⁓ so it’s not something that most people will just get immediately. ⁓
Josh Bressers (29:45) Yes.
Victor Julien (30:00) Yeah, so expect a little bit of work that you have to do, we’re happy to help.
Josh Bressers (30:06) Yeah. Yeah. And
I will add, so your content, like your YouTube content, especially is very good. And there are literally millions of getting started guides the community has created on using Suricata. like, while yes, it is complicated, it is probably one of the most approachable, complicated tools that exists on the planet, which is a very cool problem to have. Right. Okay.
Victor Julien (30:26) you
Yeah, well
we’re also trying to be better in that. We started mostly as an expert tool and I think we want to be a bit more approachable and get better usability of the interface and all that documentation. ⁓
Josh Bressers (30:47) That’s fair, and that’s great. Okay, so last question, Victor, is what’s next? What are the things you see coming in the future that excite you that you think we’d be interested in?
Victor Julien (30:58) So what’s next is in general, I guess, part of it is kind of a little bit boring because it’s more of the same, which is more protocols, more keywords, more outputs, more ⁓ integration with ⁓ capture methods and all that.
Josh Bressers (31:08) You
Victor Julien (31:16) ⁓ Personally, I’m quite excited about our expansion of the library interface and ⁓ the plugin interface so that we can get hooked into more tooling. so that’s one thing. ⁓ So we just had SuriCon, we had the brainstorm session there and together with the team, we’re still finalizing the roadmap for our next major version. ⁓
So we’ll be publishing that. So pretty much we do a major version every two years. We just had one just last July, I believe. So about a year and a half from now, we’ll have the next major version and we’re still finalizing the roadmap. But yeah, we want to essentially make rule writers happier. We want the performance to be better. We want modern protocols to be added and yeah.
Just and whatever people bring to us like some of the biggest things like our JSON output have been brought to us by contributors the rust support I just mentioned like major Changes in direction in a project have been brought to us by contributors. So we’re very open to ⁓ to working with anyone with good ideas essentially
Josh Bressers (32:32) That’s awesome. Yeah. Yeah. I mean, open source, man, it works. It’s great. Yes. Yes. Okay. Victor, this has been an absolute treat to have a chat with you. I want to thank you so much. And I cannot wait for the next time you come on and tell us all about the new cool stuff you’re working on.
Victor Julien (32:36) I love it.
Well, thank you for having me.
Happy to come back. Thank you.