Suricata-powered intrusion detection with 49K+ rules and auto-blocking
Tophan integrates Suricata as an inline intrusion detection and prevention system, inspecting traffic at the virtual switch level. Every packet crossing your virtual infrastructure is analyzed against 49,000+ threat signatures before it reaches the destination VM.
Suricata runs in IPS mode on each Tophan node, sitting inline on the OVS bridge. Traffic is inspected in real time against the Emerging Threats ruleset (updated daily) plus any custom rules you define. In detection mode, threats generate alerts. In prevention mode, matching traffic is dropped before delivery.
The alert dashboard in Dragon’s Eye shows threats by severity, source, destination, and rule category. You can see at a glance whether something is a noisy false positive or a genuine attack. One-click suppression silences known false positives without disabling the underlying rule for other contexts.
Auto-blocking escalates repeated offenders. When a source IP triggers a configurable number of high-severity alerts within a time window, Tophan adds a temporary firewall block automatically. The block duration, threshold, and severity filter are all configurable. Blocks are logged and visible in Dragon’s Eye for review.
Custom rules use standard Suricata syntax. Write rules that match your specific applications and threat model, test them in detection mode, then promote to prevention when validated.
| Feature | Description |
|---|---|
| Inline IPS | Drop malicious traffic before it reaches the VM |
| 49K+ Rules | Emerging Threats ruleset with daily automatic updates |
| Custom Rules | Standard Suricata syntax for application-specific detection |
| Alert Dashboard | Severity-ranked alerts with source, destination, and rule detail |
| Auto-Blocking | Automatic firewall blocks for repeat high-severity offenders |
| False Positive Management | Per-context suppression without disabling rules globally |
| Protocol Analysis | Deep inspection of HTTP, TLS, DNS, SMB, and 40+ protocols |
| PCAP on Alert | Automatic packet capture around alert events for forensics |
| Performance Bypass | Hardware offload and bypass for trusted high-throughput flows |