Dear Suricata Team,
I am reaching out with an urgent request from real-world practice.
The current rule management in Suricata (e.g., as integrated in OPNsense) is barely usable for administrators in day-to-day operations.
Current issues from a user perspective:
- The interface displays only SID numbers or hard-to-read rule texts.
- There are no clear-text descriptions, no information about affected systems, severity, or relevance.
- Many rules are likely outdated, but there’s no indication of this.
- There’s no way to search for “recent exploits” or prioritize rules.
A real-world example from my installation with the “exploit” category enabled looks like this:
scss
KopierenBearbeiten
2000048 ET EXPLOIT CVS server heap overflow attempt (target Linux)
2003378 ET EXPLOIT Mobile Backup Service Stack Overflow
2010375 ET EXPLOIT Oracle ctxsys.drvxtabc.create_tables SQL Injection
I cannot tell which of these is critical or outdated. I also don’t know if they even apply to my network. Even as an advanced user, the current interface is almost unusable without external research.
My suggestion for improvement:
A user-friendly rule interface that includes:
- Clear-text description (
msg) visible at first glance - Links to CVEs or Exploit-DB entries
- Rule publication date
- Severity rating (e.g., High / Medium / Low)
- Affected systems (e.g., Windows, Linux, Network, etc.)
- Sorting and filtering options (e.g., “show only current exploits”)
The goal:
An administrator should be able to see at a glance:
- What is being blocked
- How dangerous the rule is
- Whether it applies to their network
- Whether the rule is outdated or still relevant
I believe many administrators share these difficulties. Suricata is technically powerful – but the user interface for rule management is currently a major weakness. I sincerely hope you will consider improving this area.
Thank you for your continued work on Suricata.