Suricata IDS/IPS Monitoring
The Suricata monitoring page provides real-time visibility into the intrusion detection and prevention system running on your edge devices. View alert rates, packet processing performance, protocol breakdowns, and flow statistics.
Navigate to Monitoring > Suricata IDS/IPS in the sidebar.
This page requires the Suricata feature to be enabled for your tenant. If the feature is disabled, you will see a banner indicating the feature is not available. Contact your administrator to enable it.
Edge Selector
Use the dropdown at the top of the page to select which edge device to monitor. All charts and statistics update to show data for the selected edge.
Status Cards
Four cards show the current state of Suricata on the selected edge:
| Card | Description |
|---|---|
| Status | Enabled (green) or Disabled (red) |
| Mode | IDS (detect only) or IPS (detect and block) |
| Uptime | How long Suricata has been running |
| Active Threads | Number of processing threads |
Resource and Alert Summary
A second row of cards provides:
| Metric | Description |
|---|---|
| Memory | Current memory usage |
| Active Flows | Number of tracked network flows |
| Blocked | Total packets blocked (IPS mode) |
| Allowed | Total packets allowed through |
| Total Alerts | Cumulative alert count |
Alerts by Severity
A donut chart breaking down alerts by severity level (Critical, High, Medium, Low, Info). This helps you quickly assess the threat landscape.
Time-Series Charts
Six charts show 30-minute windows of real-time data with 1-minute resolution, auto-refreshing every 30 seconds:
Alert Rate by Severity
Line chart showing alert generation rate per severity level over time. Spikes indicate potential security events.
Packet Processing Rate
Dual-line chart showing:
- Received — Packets entering Suricata for inspection
- Dropped — Packets dropped during inspection (indicates processing overload)
A high drop rate relative to received packets may indicate that Suricata needs more resources or rule optimization.
Throughput
Line chart showing bytes per second processed by Suricata.
Traffic by Protocol
Stacked area chart showing decoded traffic by protocol (TCP, UDP, ICMP, etc.).
Flow Statistics
Dual-line chart showing:
- New Flows — Rate of new flow creation
- Timeouts — Rate of flow timeout/expiration
App Layer Transactions
Stacked area chart showing application-layer protocol transactions (HTTP, TLS, DNS, etc.) decoded by Suricata.
Relationship to Edge Configuration
Suricata is configured on each edge's Configuration page under the Suricata IDS/IPS and Service Chain tabs. The monitoring page shows the operational results of that configuration.
To enable Suricata on an edge:
- Navigate to the edge's Configuration page
- Enable Suricata under the Suricata IDS/IPS tab
- Configure a service chain to steer traffic through Suricata
- Sync the configuration to the edge