Suricata “IDS + NSM” Profile

This profile configures Suricata to act as an IDS and NSM (Network Security Monitoring), the NSM features means Suricata will record all network events (transactions) even if they did not trigger an alert.

This capability is important for network forensic use-cases and for investigating breaches as the analyst will have a historical record of everything observed in their network.

The only downside of this feature is the added load of events as Suricata now records “everything” and not just alerts.