suricata  4.1.0
About: Suricata is a high performance Network Intrusion Detection (IDS) and Prevention (IPS) and Network Security Monitoring engine.
  Fossies Dox: suricata-4.1.0.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

Doxygen documentation

Introduction

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Developer documentation

You've reach the automically generated documentation of Suricata. This document contains information about architecture and code structure. It is attended for developers wanting to understand or contribute to Suricata.

Modules

Documentation is generate from comments placed in all parts of the code. But you will also find some groups describing specific functional parts:

Architecture

Data structures

Regarding matching, there is three main data structures which are:

  • Packet: Data relative to an individual packet with information about linked structure such as the Flow the Packet belongs to.
  • Flow: Information about a flow for example a TCP session

Running mode

Suricata is multithreaded and running modes define how the different threads are working together. You can see util-runmodes.c for example of running mode.