What Suricata Does
Suricata on pfSense is an intrusion detection and prevention system (IDS/IPS). It inspects packets against rulesets (ET Open, Snort, etc.) looking for known attack signatures: malware C2 callbacks, exploit payloads, SQL injection attempts, port scan patterns, and other indicators of compromise.
Suricata is excellent at catching:
- Malware communications and C2 traffic
- Exploit attempts (buffer overflows, shell commands in HTTP)
- Protocol violations and anomalies
- Brute-force login attempts
- Known botnet traffic patterns
It works by deep packet inspection (DPI), examining the content of each packet and matching it against tens of thousands of signatures. This requires significant CPU because every packet must be inspected.
What Flowtriq Does
Flowtriq detects volumetric DDoS attacks by analyzing traffic patterns, not packet contents. It builds a rolling baseline of normal traffic (PPS, bandwidth, protocol distribution, connection rates) and triggers when traffic deviates significantly from that baseline.
Flowtriq catches:
- SYN floods (millions of half-open connections)
- UDP floods (volumetric packet storms)
- DNS/NTP/memcached amplification (reflected traffic)
- ICMP floods
- Carpet bombing (distributed across a subnet)
- Connection exhaustion (Slowloris, slow-rate attacks)
It works by reading kernel-level counters every second, not by inspecting individual packets. This means it uses minimal CPU and can detect attacks regardless of packet content.
Why They Solve Different Problems
The fundamental difference: Suricata asks "does this packet match a known bad pattern?" Flowtriq asks "is this traffic volume abnormal?"
A DDoS attack with 500,000 SYN packets per second does not need signature matching. There is no malware payload to detect. The attack is pure volume. Each individual SYN packet is a valid TCP packet. Suricata might have a rule for SYN flood detection, but it was not designed for this use case. At high PPS, Suricata's DPI pipeline becomes a bottleneck because it is trying to inspect every packet in the flood.
Conversely, a malware C2 callback is low-bandwidth (maybe a few packets per minute) and blends into normal traffic volume. Flowtriq would not flag it because the traffic volume is normal. Suricata catches it because the packet content matches a known signature.
Threat Type Suricata Flowtriq ------------------------------------------------- Malware C2 callback Detects Misses (low volume) SQL injection Detects Misses (not volumetric) 500K PPS SYN flood Struggles Detects in <1 sec DNS amplification Partial Detects in <1 sec Carpet bombing Misses Detects Brute-force SSH Detects Misses (low PPS) Slowloris Partial Detects (connection rate)
Running Both Together
The strongest setup uses both. Suricata on pfSense handles intrusion detection and protocol-level threats. Flowtriq handles volumetric DDoS detection on the servers behind pfSense.
The typical architecture:
Internet
|
v
pfSense (Suricata IDS/IPS)
| - Blocks known malware
| - Detects exploit attempts
| - Protocol anomaly detection
v
Your Servers (ftagent installed)
| - Detects DDoS floods
| - Baseline anomaly detection
| - Automated firewall rules
| - PCAP forensics
Suricata sits inline on pfSense and blocks known threats before they reach your servers. Flowtriq sits on each server and detects volumetric attacks that reach the server level. If a DDoS attack is large enough to saturate your pfSense WAN link, Flowtriq's upstream escalation (BGP FlowSpec, cloud scrubbing) kicks in to filter traffic before it reaches your network.
Why Suricata Alone Is Not Enough for DDoS
Running Suricata on pfSense gives you IDS capabilities. It does not give you production-grade DDoS detection for several reasons:
- CPU saturation during floods: Suricata inspects every packet. During a 200K+ PPS flood, the CPU on your pfSense box may not keep up, causing packet drops that affect all traffic, not just attack traffic.
- No dynamic baselines: Suricata rules use static thresholds. If your traffic legitimately increases (sale event, product launch), the static threshold either fires a false positive or is set too high to catch real attacks.
- No upstream escalation: Suricata cannot trigger BGP FlowSpec or cloud scrubbing. It blocks at the pfSense level, which does not help when your WAN link is already saturated.
- No forensic PCAP with classification: Suricata logs alerts. Flowtriq captures targeted PCAP during incidents with full attack classification, timeline, and evidence packaging.
FAQ
Can I run ftagent directly on pfSense?
pfSense runs FreeBSD, and ftagent is designed for Linux. Instead, export NetFlow from pfSense to a Flowtriq flow source, or install ftagent on the servers behind pfSense. See our pfSense DDoS protection guide for the NetFlow setup.
Does Snort on pfSense have the same limitations?
Yes. Snort and Suricata are both signature-based IDS/IPS tools. They have the same fundamental limitation for DDoS detection: they were designed for content inspection, not volumetric anomaly detection.
What about pfBlockerNG?
pfBlockerNG blocks traffic from known bad IP lists and geographic regions. It is a blacklist tool, not a DDoS detection tool. It helps reduce background noise but does not detect or mitigate volumetric floods from IPs not on any list.
Layer DDoS detection on top of your pfSense IDS. Keep Suricata for intrusion detection. Add Flowtriq for volumetric DDoS detection with automated mitigation. Start your free 14-day trial.