Writing and validating Suricata signatures shouldn't require wrestling with complex installation procedures before you can even get started. For the past three years, Suricata Language Server has brought IDE-quality features -- syntax checking, auto-completion, and performance hints -- directly into your favorite editor by leveraging Suricata's own analysis engine. But there's been a catch: you needed a working Suricata installation on your system, which could be a significant barrier depending on your operating system and environment.
Today, we're excited to announce Suricata Language Server 1.1.0, which introduces container mode—a game-changing feature that lets you skip the local installation entirely if you have Docker available. Named 'Fluctuat nec mergitur' in remembrance of the November 13, 2015 attacks in Paris, this release makes signature development more accessible than ever.
The initial version of Suricata Language Server was published around 3 years ago and it has evolved -- from a features perspective -- without changing the overall architecture.
As a Language Server Protocol implementation, it provides in your favorite editor with syntax checking, completion and performance hints when editing Suricata signatures.
And it does so by using Suricata to get real world analysis. Due to the history of the signature syntax that was inherited from Snort and has evolved over more than 10 years, the syntax checking from an external code base would be mostly full of errors.
As a consequence, all versions up to Suricata Language Server 1.0.0 were using the same technique which was to use a locally-installed instance of Suricata to analyse the buffer containing the signatures. This was powerful because even custom versions of Suricata were supported. Unfortunately, installing Suricata on the operating system was something that could be painful.
Suricata Language Server 1.1.0 enhances this significantly by introducing a container mode where the Suricata commands are run inside a container. Currently this only supports Docker containers, but alternative container implementations will be added soon.
The usage is quite simple as for Visual Code and Codium users, they can just check the `container` checkbox.
A specific image can be selected via the `--image` flag so a specific version of Suricata can still be selected. Please note that Suricata Language Server will suppose that an entry point compatible with the one used on jasonish/suricata image is available.
For example, to use Suricata 7.0.13, you can use the following Neovim configuration:
```lua
local suricata_ls_cmd = {'suricata-language-server','--container', '--image=jasonish/suricata:7.0.13'}
vim.lsp.config('Suricata LS',
{
cmd = suricata_ls_cmd,
filetypes = {'suricata', 'hog'};
single_file_support = true;
settings = {};
on_attach = on_attach,
}
)
vim.lsp.enable('Suricata LS')
```
As the container is pulled dynamically, the initialization of Suricata Language Server can take time. So the server
will now warn the editor when it is ready. This can be seen below.
The displayed neovim configuration uses `lualine` plugin with the `lsp_status` option:
```lua
require('lualine').setup {
options = {
theme = 'material',
icons_enabled = true,
extensions = {'nvim-tree'},
};
sections = {lualine_a =};
}
```
Suricata Language Server 1.1.0 represents a significant step forward in making signature development more accessible. By introducing container mode, we've eliminated one of the primary friction points -- local Suricata installation -- while maintaining the powerful real-world analysis capabilities that set this tool apart from syntax-only checkers. Whether you're using Visual Studio Code, Neovim, or another LSP-compatible editor, getting started with accurate Suricata signature validation is now as simple as having Docker installed.
With support for additional container implementations on the roadmap, we're committed to making Suricata signature development smoother and more efficient for security practitioners everywhere. Download version 1.1.0 today and experience the difference container mode makes in your workflow.
To download this latest version, please visit the SLS GitHub repository here>>
And to engage the open source community about this and other Suricata tools developed by Stamus Networks, please join the discussion on Discord here >>