I am currently developing a security system based on Suricata running on a Raspberry Pi 5 (16GB RAM). The goal is to build an IDS that uses Suricata not only for signature-based detection but also as a high-fidelity data source for a Machine Learning (AI) model aimed at detecting Zero-Day attacks.
I’m debating between Suricata 7.0.x (Stable) and the newer Suricata 8.x.
Since I will be feeding the eve.json output into a real-time Python-based ML pipeline for anomaly detection, I have a few specific questions for the experts here:
Stability & Log Consistency: Is Suricata 8 stable enough on ARM64 for a production-heavy project, or should I stick to 7.0.x to ensure consistent log formats for my AI features?
Performance Bottlenecks: To handle the AI processing alongside packet inspection, I’m planning to use an NVMe SSD and Vectorscan (since Hyperscan isn’t natively available for ARM). Are there any other ARM-specific optimizations you recommend for the Pi 5?
Real-time Export: Are there specific eve-log settings (batching, socket-based export) that work best for minimizing latency between Suricata and a Python ML consumer?
Any advice on the architecture or performance tuning for this hybrid (IDS + AI) setup would be greatly appreciated!
To be honest, I am still in the testing and prototyping phase, and my top priority right now is maximum stability and ease of configuration. I’ve seen many community discussions suggesting that the 7.0.x branch is currently more mature and stable than version 8 for research-heavy projects like this.
Since I am just starting with the AI/ML integration, I want to avoid the ‘Early Adopter’ headaches and focus on getting the data pipeline right.
If I were to consider Suricata 8 for future-proofing, which specific point release would you say is the most ‘production-ready’ right now? And does version 8 offer a significant performance boost specifically for the Raspberry Pi 5’s architecture that makes the extra configuration complexity worth it?
I’m leaning towards starting with 7.0.15 for its proven track record, but I’m open to your thoughts!
The EOL of Suricata 7 is scheduled for July 2026, so rather soon, see EOL Policy - Suricata which means there will be no more security updates and bugfixes for it. Thus we would highly recommend using Suricata 8 which will be maintained further and is the current stable.
Always stick with the latest point release, as of today it would be 8.0.4 see Download - Suricata
There is not much complexity added by using Suricata 8. It would be even easier to start with the fresh Suricata 8 config instead of migration from an older one. Suricata 8 is not “Early Adopter” stage.