2026-07-01 –, Amphitheater 122
Suricata’s approach to handling Indicators of Compromise (IoCs) has fundamentally evolved from basic IP-only rules to the highly performant Dataset concept. The talk will outline the key advancements, particularly the evolution in Suricata 8.0 to support JSON-based context within Datasets. This upgrade is crucial as an IOC is nothing without context. With JSON datasets, alerts embed comprehensive threat context opening the way to performance improvement and integration ease.
The presentation will detail several capabilities for dynamic threat intelligence operations, including the use of a Unix socket to dynamically add and remove elements from the live dataset list, and ongoing integration efforts with platforms like OpenCTI and MISP for seamless threat intelligence exchange. Additionally, a new feature allowing the output of PCRE captured groups directly into the alert context will be examined. This talk will demonstrate how these features enhance Suricata's ability to process, manage, and contextualize threat data in real-time.
Eric Leblond is a cybersecurity professional and open-source developer focused on network threat detection. He is the co-founder and Chief Technology Officer (CTO) of Stamus Networks, a company that provides Network Detection and Response (NDR) solutions.
In the open-source security space, Leblond is a core developer of Suricata, an intrusion detection and prevention system (IDS/IPS). His work on the project centers around network visibility and alert context. He also serves on the board of directors for the Open Information Security Foundation (OISF), the non-profit organization behind Suricata.
Additionally, Eric Leblond is an emeritus member of the Netfilter Core Team, where his work involves kernel and user-space interactions.