Details

I'd like to propose the inclusion of Suricata, primariy for the FLARE-VM. Suricata can run in offline mode, allowing for the consumption of PCAP to generate alerts or other network data (i.e. JA3/JA4,etc). This can be used in conjunction with tools like Fakenet, allowing for offline network generation and analysis.

Suricata provides an MSI installer: https://www.openinfosecfoundation.org/download/windows/Suricata-7.0.8-1-64bit.msi.

Rule sets will need to be added to the default rule path, which will be under C:\ProgramFiles\Suricata\rules. There are a few options for open-source/open license rule sets. ET Open is the largest and most popular: https://rules.emergingthreats.net/open/suricata-7.0.3/. AttackDetection is another: https://github.com/ptresearch/AttackDetection. And there are several options from AbuseCH: https://sslbl.abuse.ch/blacklist/.

To get an idea of how Suricata could be used in the FLARE-VM, I have a short video series on YouTube: https://www.youtube.com/playlist?list=PLHJns8WZXCdthheGdEpV4D_NdKTwcd_Xg. This would not only allow for increased detection opportunities, but the foundation of a custom rule writing workflow for those interested in creating their own rules. I hope this request found the right location and appreciate the consideration. Please let me know if you have any questions.

Thanks,
Josh