<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Accelerate Suricata Rule Writing with Suricata Language Server v0.9.0

Writing Suricata rules has never been easier or faster since the release of the Suricata Language Server (SLS), an open-source implementation of the embedded Language Server Protocol for Suricata signatures. The Suricata Language Server adds rule (signature) syntax checking, rule-writing hints, and auto-completion to your preferred editor. By utilizing lesser-known features of the Suricata engine, SLS helps Suricata users write better, more effective, and more advanced rules.

Celebrating One Year of the Suricata Language Server

Stamus-HappyBDay-SLS

One year ago, we released the first beta of the Suricata Language Server to help Suricata users write better rules, and the response was surprising. To date, we have had over 6,700 downloads, and we have received some very positive feedback from users.

With the upcoming release of Suricata version 7.0.0, it was time to make some updates to the Suricata Language Server to ensure users can continue to enjoy an easier, more optimized rule writing experience.

Easy Suricata Rule Writing with Suricata Language Server v.0.9.0

The new Suricata Language Server is optimized for use with the newest version of Suricata, and while it still includes the same features to help with easy rule writing as before — like real-time Suricata rule syntax checking, Suricata rule auto-completion, and Suricata rule performance guidance — there are also some new features that can help users in their Suricata rule writing. In this article, we describe these new capabilities that are included in version 0.9.0, released this week.

Multi pattern matching/fast pattern analysis

The performance of a signature is bound to the number of the times it is evaluated. Suricata uses a multiple pattern matching algorithm on various buffers to only evaluate a signature if there is a partial content match. This limits the full evaluation of a signature to the case where it is likely to match. With v0.9.0, SLS provides MPM analysis information to the user. It warns when a signature has no fast pattern (which means it will be evaluated a lot), and it also warns the user when a fast pattern in a signature is used multiple times (resulting in evaluation of multiple signatures). This last check is performed over all the workspace (so all files in a directory or in a git project are analyzed).

image4

Support for Suricata 7

It is important to note that a change in error reporting for Suricata 7 will break the SLS analysis. The code has been updated to support earlier versions, and will be addressed in the upcoming Suricata release.

Support for configuration file

Suricata-language-server now accepts the use of a configuration file so it can adapt to local changes such as custom variables.

Run from the command line

SLS  can now be invoked from a command line to parse a file and will return the diagnostic results on stdout. This allows SLS to be used in continuous integration workflow or embedded in custom tools that do not support LSP.

image1-1

Under the hood

This version includes an important code refactoring for easier maintenance and contribution and adds unit tests to improve stability over releases.

Happy rule writing

I am hopeful that these new capabilities will make Suricata rule writing more accessible to the novice and will save time and streamline the process for expert rule writers.

Where to Get Suricata Language Server

The Suricata Language Server is available under the GPLv3 license and is hosted on Github. It is also published on Pypi, so a simple pip install suricata-language-server is enough for the installation. Configuration instructions for tested editors are described on the Github page. 

Don’t hesitate to provide us feedback or ask questions if you find this project useful. You can contact us on Discord, use the issue system on Github, or simply send us an e-mail (contact@stamus-networks.com).

 

 

Eric Leblond

Éric Leblond is the co-founder and chief technology officer (CTO) at Stamus Networks. He sits on the board of directors at Open Network Security Foundation (OISF). Éric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata – the open-source network threat detection engine – since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is a respected expert and speaker on all things network security. Éric resides in Escalles, France.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO