The syntax checking identifies syntax errors and – maybe even more interesting – it also provides warnings about performance issues as well as hints to help the rules writer.

The second key feature is auto-completion. This is performed using a direct link to the documentation as you can see in this screenshot of a Neovim editor using SLS:

SLS also provides real-time performance guidance to the rule writer. It does so with feedback from the Suricata engine and with logic implemented in SLS itself. Performance guidance includes hints such as information about automatic Suricata fast pattern selection and warnings about potential serious performance issues caused by a rule that only has a PCRE regular expression.

SLS 2.0 tracks signature IDs (SIDs) across your entire workspace and instantly flags conflicts between files — before they become problems in production.

• Cross-file awareness: Never accidentally duplicate a SID across your ruleset
• Parallel analysis: Multi-threaded workspace scanning runs 3–4x faster than sequential
• Real-time updates: Conflict warnings appear as you type, no save required
• Smart completions: SLS now proposes the next available SID based on your entire workspace

See this capability demonstrated in the video below.

SLS 2.0 pairs with Stamus AI Tools to bring AI-assisted detection engineering directly into Claude Code. Install the plugin, activate the suricata-rules:writer skill, and the agent generates Suricata signatures that are automatically validated by SLS for syntax and performance — following community best practices.

The companion explain skill breaks down existing signatures in plain language, with links to relevant Suricata documentation.

See this capability demonstrated in the video below. 

Detection engineering belongs in version control. SLS 2.0 introduces a GitHub Action that validates your Suricata signatures on every push — configurable to fail on syntax errors, performance warnings, or both. Catch bad rules before they ever reach production.

SLS 2.0 validates your rules directly from the editor buffer as you type — no save required. Get instant syntax and performance feedback while drafting new signatures.

Additionally, deprecated keywords like the legacy content modifier (deprecated in Suricata 7.0+) are now visually marked with strikethrough styling, making rule modernization effortless.