Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.
The Suricata 8 release was just announced two weeks ago and it is packed with new features and improvements!
Almost two years after the previous major release (Suricata 7.0) and after hundreds of thousands of lines of code additions and changes powered by collaboration, one of the most active open-source communities with thousands of users and developers, – Suricata 8 is finally out.
Suricata has always been on the forefront of innovation and community collaboration since its inception in 2008, starting with native multithreading capabilities. Fast forward to this day, it has evolved and taken a default position as an indispensable part in any network security monitoring stack.
One open-source tool that provides the 4 major network security monitoring types of data: alerts, protocol and flow transaction logs, extracted files, and pcap, which are delivered with industry-leading top performance.
WHAT’S NEW
Let’s have a very high-level sneak peak into Suricata 8!
This is a major release, containing many groundbreaking new features in all aspects of Suricata usage, including deployment, integrations, performance, and detection.
LIBRARY
One of the big additions in Suricata 8 is the possibility to now use Suricata as a library. This is making it easy for library users to bring their own packets and threads. New application protocol parsers, loggers, and detections (keywords) can also now be dynamically registered at runtime. This allows for application layer plugins or easier registration of custom application layers for library users. Thus it makes it possible for very flexible customizations and integrations by vendors or custom engineering teams – that, in turn, speeds up adoption, integration and allows for higher level of customized deployments wherever needed.
RUST
The Rustification of the Suricta code continues with full swing and many more protocols and keywords are now in Rust. A major change is that LibHTP is now moved to Rust. This provides more security and robustness to any Suricata deployment as Suricata is tasked with inspecting and analyzing any traffic it sees. As such, it needs to account for and handle any situation including non-RFC compliant, benign or malicious traffic alike. This is where a big part of the team effort was also spent in order to provide for more security of the engine.
LUA
A complete overhaul has been done. With Suricata 8, lua scripting can be used regardless of OS version. This eases the deployment and scripting requirements and makes it possible to use Lua in any detection, logging or integration scenario.
PROTOCOLS
This release boasts 8 new protocol additions that include both detection and output/logging capabilities for increased visibility. The new additions are:
- Websocket support
- LDAP support
- ARP: decoder and logger
- DNS over HTTPS (DoH)
- SIP: parse traffic over TCP
- SDP: parse traffic over SIP
- POP3: decoder and logger
- Multicast DNS (mDNS)
KEYWORDS
The biggest addition of keywords to the ruleset language in any major release so far – Suricata 8 comes with 107 new keywords added. This is about a 38% increase from the previous major Suricata 7 release. Those additions allow for further improvement of the detection capabilities without sacrificing performance. Many of those new detection keywords capabilities provide innovative possibilities.
Just as a small example, like the entropy and luaxform keywords. Those can be utilised in any sticky buffer. That is all on top of the logging output being there by default. You can read more about the entropy logging and detection capabilities in the blog here.
DATA: JSON DATASETS
As a simple IoC without context is actually not useful, Suricata 8 has further enhanced the capability of the existing datasets feature and introduces context and reference capability to any IoC. This means that now a dataset can have JSON structure that has context/reference to any IoC loaded – domain, file hash, IP, URL etc. Further reading is available in this blog.
TRANSACTIONAL (Bidirectional) RULES
It is now possible to write the same rule for both transactions/directions in a protocol. For example, instead of writing two rules: one for a request and another for response, Suricata 8 makes it now possible to write one rule for both directions. Please feel free to look at an example in our documentation. This allows for easier and simpler detection logic rule writing and gives an advantage to security engineers developing detection.
STATS
The stats produced by the detection and logging engine have been enhanced quite a bit. Thus giving more granular capability of discovering deployment, traffic or configurational issues when running Suricata.
CPU AFFINITY
CPU affinity configuration is now much easier. It can be automatically set or set per interface in the configuration regardless of the CPU architecture/vendor. This allows for much easier and more flexible deployments and less engineering and upgrade costs.
FIREWALL: NEW MODE OF OPERATION
Suricata’s new firewall mode is an experimental feature to bring firewall capabilities to Suricata.
At the most basic level, it is a more formalized dialect of the Suricata rule language, with a deterministic packet pipeline. Like with other firewalls, it uses a default drop policy. The ruleset is used to define what is allowed to pass.
PERFORMANCE
Suricata 8.0 brings significant performance enhancements across multiple areas of the engine, from detection to rule loading and initialization.
The general detection engine performance was improved through, e.g., branch prediction or hash function optimization. PCAP reading mode can now process files faster thanks to larger read buffers and reduced thread synchronization overhead.
Suricata initialization has been significantly improved, thanks to enhanced port grouping, MPM caching, and optimizations in the IP insertion algorithm.
LEARN SURICATA 8
Want to get the most out of Suricata 8? Join us at SuriCon2025 (Montreal, Canada – November 19-21, 2025). And new for this year —(discounted) bundle ticketing, SuriCon conference plus training!
Choose from three Suricata expert-led courses:
SURICATA UPDATES TO YOUR INBOX
Stay in the loop with the latest from the Suricata project. Our quarterly newsletter includes release announcements, blog posts, tutorials, videos, and updates from the community and development team.
Subscribe today so you don’t miss out.
CONNECT WITH THE GLOBAL COMMUNITY
Suricata is powered by a diverse, global network of developers, defenders, researchers, and partners—from open source contributors to consortium members. Whether you’re writing code, sharing insights, or just getting started, there’s a place for you HERE.
Join the conversation:
- Discourse Forum at https://forum.suricata.io
- Suricata Discord server! discord.gg/t3rV2x7MrG
- Interested in becoming a Suricata Consortium Member? Contact us to learn more.
Written by Peter Manev, Suricata Evangelist and longtime supporter.
The post Suricata 8: Always evolving, constantly improving! appeared first on Suricata.
