Most casual Suricata users don’t understand …
There is a wealth of valuable information contained in a Suricata detection event record (aka “alert”). Beginning in 2014, the world’s most popular open-source security engine - Suricata - has included the complete application-layer metadata in every IDS alert record.
So, it’s all there - right in the alert record.
Despite what some vendor marketing implies, if you’ve got Suricata, there is NO NEED to:
- perform any external correlation
- deploy a separate NSM
- waste CPU cycles by combining two detection engines in the same sensor
Read more in this article by Eric LEBLOND: