Suricata Language Server 2.0: Major Update for Ruleset Management (Free and Open Source!)

dmarkdurrett · March 19, 2026, 12:41pm

Hey everyone,

We at Stamus are excited to announce version 2.0 of the Suricata Language Server (SLS)! This is a major update featuring workspace-wide analysis, intelligent conflict detection, and a complete architectural modernization. As a free and open source tool, SLS 2.0 brings powerful new capabilities to help detection engineers manage large Suricata ruleset deployments more efficiently.

Here is what’s new and what it means for your workflow:

Workspace Intelligence & Conflict Management

The core focus of this release is improving how SLS manages large rulesets across an entire editor workspace (VS Code, VSCodium, Neovim):

Workspace-Wide SID Conflict Detection: SLS 2.0 now tracks all Signature IDs (SIDs) across your entire workspace and automatically detects conflicts between files. When you edit a rules file, you instantly see warnings if any SIDs collide with signatures in other files, ensuring you never accidentally duplicate a SID.
- It also proposes the next available SID during completion based on the workspace, if available.
Automatic Diagnostic Refresh: The language server automatically analyzes all .rules files, updates the SID conflict cache, and refreshes diagnostics when you add or remove workspace folders, eliminating manual file reloads.
On-the-Fly Analysis (No Save Required): Get syntax validation and diagnostics immediately while drafting new signatures, as the server validates the buffer content in real-time.

AI-Assisted and Workflow Features

AI Agent Skills: We have published a series of AI Agent skills that leverage SLS to help you write and explain complex Suricata signatures. These generated signatures are automatically checked for syntax and performance, following defined guidelines. You can explore usage on the Stamus AI Tools repository.
Github Action to Check Signatures: SLS 2.0 introduces a Github action that verifies signatures in a repository. This action (suricata-rules-check) can be configured to fail a build on syntax errors or warnings.
Deprecated Keyword Highlighting: To aid migration, the content modifier (deprecated in Suricata 7.0+) is now visually marked with a strikethrough in your editor.

Performance and Architecture

3x Performance Boost: Workspace scanning now uses multi-threaded processing, cutting analysis time for large rulesets (e.g., 100 files) from approximately 8 minutes down to around 2 minutes.
Architectural Migration: The codebase has been fully refactored to use pygls 2.0+ for improved reliability and better integration across editors.

How to Get SLS 2.0

To get the latest version, simply upgrade via pip:
pip install --upgrade suricata-language-server

SLS 2.0 works out of the box with VS Code, VSCodium, and Neovim—just open a folder as your workspace.

Feedback & Contribution

We’d love to hear how you’re using SLS 2.0 and what you think of the new features!

Star the project on GitHub
Found a bug or have a feature request? Open an issue
Have questions or feedback? Reach out to the community on Discord
Read the blog from @Eric_Leblond about the release on the Stamus website