CustosSuricata is not bundled with CustosXI. It is an independent GPL v2 IDS/IPS project. CustosXI can read Suricata eve.json output and correlate alerts in the dashboard when you install and configure Suricata yourself.
What CustosXI provides
- Settings for Suricata paths (
eve.json, rules directory,suricata.yaml) - Optional start/stop of the Suricata process aligned with capture
- Rule updates (e.g. Emerging Threats open rules) via add-ons
- Alert display and correlation in the UI
What you provide
- Suricata for Windows (OISF / Stamus or your trusted build)
- Correct NIC selection matching CustosXI capture adapter
- Rule maintenance, updates, and operational security for the IDS itself
Typical setup flow
- Install Suricata for Windows
- Configure
suricata.yamland seteve-logoutput path - In CustosXI: Settings → Suricata (or Add-ons) - set paths, enable analysis, save
- Start Suricata on the same interface used for capture when needed
Suricata licensing and distribution are separate from CustosXI freeware. See Third-party notices.