Back to Integrations

Suricata Integration

Drop in a Suricata IP dataset backed by the ipinsights.io blocklist and a one-line rule that alerts (or drops) on every hit.

Overview

Suricata supports IP datasets — large external IP lists that can be referenced from rules with iprep / ipset-style matchers. We'll register the ipinsights.io blocklist as a dataset, write two rules (alert on inbound hit, alert on outbound hit) and refresh the dataset on a timer.

Prerequisites

  • Suricata 7.x (dataset / datarep support is mature here)
  • Outbound HTTPS to https://ipinsights.io
  • Write access to /var/lib/suricata/rules/ (or wherever your rules tree lives)

Step 1 — Refresh Script

/usr/local/bin/ipinsights-suricata-sync.sh:

#!/usr/bin/env bash # Refresh the Suricata IP dataset from the IP Insights blocklist. set -euo pipefail FEED="https://ipinsights.io/downloads/blocklist.txt" DEST=/var/lib/suricata/datasets/ipinsights-block.list TMP=$(mktemp) trap 'rm -f "$TMP"' EXIT curl -fsSL --max-time 30 "$FEED" \ | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' \ > "$TMP" COUNT=$(wc -l < "$TMP") [ "$COUNT" -ge 100 ] || { echo "refusing — only $COUNT entries"; exit 1; } install -m 0644 -o suricata -g suricata "$TMP" "$DEST" # Live-reload the dataset without restarting Suricata suricatasc -c "dataset-add ipinsights_block ip $DEST" >/dev/null 2>&1 || true suricatasc -c "reload-rules" >/dev/null 2>&1 || systemctl reload suricata
sudo install -m 0755 /tmp/ipinsights-suricata-sync.sh /usr/local/bin/ipinsights-suricata-sync.sh sudo mkdir -p /var/lib/suricata/datasets echo '0 * * * * root /usr/local/bin/ipinsights-suricata-sync.sh' | sudo tee /etc/cron.d/ipinsights-suricata sudo /usr/local/bin/ipinsights-suricata-sync.sh # first sync now

Step 2 — Rules File

Create /var/lib/suricata/rules/ipinsights.rules:

# IP Insights — alert on inbound traffic from a blocklisted IP alert ip [!$HOME_NET] any -> $HOME_NET any ( \ msg:"IPINSIGHTS Inbound from blocklisted IP"; \ flow:to_server; \ dataset:isset,ipinsights_block,type ip,state /var/lib/suricata/datasets/ipinsights-block.list; \ classtype:misc-attack; sid:9100001; rev:1;) # IP Insights — alert on outbound traffic to a blocklisted IP alert ip $HOME_NET any -> [!$HOME_NET] any ( \ msg:"IPINSIGHTS Outbound to blocklisted IP"; \ flow:to_server; \ dataset:isset,ipinsights_block,type ip,state /var/lib/suricata/datasets/ipinsights-block.list; \ classtype:trojan-activity; sid:9100002; rev:1;)

Change the rule action to drop (only effective in IPS / inline mode) once you're comfortable with the false-positive rate. The two rules can also be collapsed to a single alert ip any any -> any any … if you don't care about direction.

Step 3 — Load the Rules

In /etc/suricata/suricata.yaml add the rules file:

rule-files: - suricata.rules - ipinsights.rules
sudo suricata -T -c /etc/suricata/suricata.yaml -v sudo systemctl reload suricata

Step 4 — Verify

tail -F /var/log/suricata/fast.log | grep IPINSIGHTS jq 'select(.alert.signature_id == 9100001 or .alert.signature_id == 9100002)' \ /var/log/suricata/eve.json

On any internet-facing sensor you should see hits within minutes — opportunistic scanning is near-constant from blocklisted IPs.

API Key: Not required for the public blocklist used by this integration.

Request Higher API Limit

Running a high-volume Suricata deployment? If the default rate limit isn't enough for your environment, submit a request below and we'll review it.

Maximum 5,000 characters.