wolfSentry vs Suricata

With our new release of wolfSentry people might wonder how it compares to Suricata. Suricata is an open source IDS / IPS / NSM engine. While it seems that Suricata is in rivalry with wolfSentry, our embedded IDPS; they actually have a synergy, it would make sense for sophisticated users to deploy both of them.


  • The distribution tarball is 29 MB
  • The build tree with minimal featureset is 536 MB
  • The binary installation image is 35 MB, of which 34.5 MB is the Suricata binary executable (dynamically linked)
  • The main executable depends on 18 special purpose libraries not included in the distribution.
  • Suricata depends on Python
  • It only runs on Unix-like and Windows OSs, and its firewalling (host protection) depends on host OS facilities.

Suricata is a heavyweight, infrastructural IDS platform.  It has to duplicate the logic, and a lot of the processing, of the protocols/libraries/applications that it is monitoring and protecting.

Suricata can do a lot of powerful things, including protecting endpoints that can’t protect themselves, and protecting endpoints before they’re attacked, by blocking bad actors at the first opportunity, when they’ve only had time to attack a first protected endpoint.


By comparison, wolfSentry has a much smaller footprint. 

  • The distribution tarball is 36 K.
  • The build tree is 2.5 MB, with all features and debugging symbols enabled.
  • libwolfsentry.a is 339 K, and the biggest example executable is 443 K, or 84 K stripped, and uses no libraries beyond libc (which it barely uses).
  • It is designed to integrate directly with network-facing applications/libraries to block bad traffic, and it can optionally integrate with host firewall facilities, via plugins.
  • It can run on bare metal, in which case the firewall functions can be directly integrated into the network stack of the application.

wolfSentry isn’t infrastructural, it’s on the endpoints, and it’s intended to be integrated with the endpoint applications/libraries to leverage them to the fullest.

Comparison and Synergy

The synergy between wolfSentry and Suricata infrastructural IDPSs is to have wolfSentry (via a plugin) notify the external IDPS when it detects bad traffic that the external IDPS might not be able to detect.  This can enable clever stuff like blocking the bad traffic inside the network, before it even reaches the endpoint, and of course blocking the bad traffic for all the protected endpoints at once.

This raises an obvious worry about Suricata being compromised, because by nature it is directly exposed to the network, and is highly privileged.  Suricata addresses this by doing lots of fuzz testing etc. to build confidence.  However, because they have a 29 MB distribution tarball, there is a higher likelihood for things to fall through the cracks.

An advantage of wolfSentry is wolfSentry doesn’t require the endpoint to trust anyone else, nor anyone else to trust the endpoint.  It’s a freestanding, high-efficiency self-defense system.

Ultimately, while there are some comparisons and different uses between the two, the best course of action would be to use wolfSentry and Suricata together for the best secure IDPS.

If there are any specific questions about how wolfSentry, please contact our team at facts@wolfssl.com. If there is a desire for wolfSSL to include other cybersecurity standards, please let the wolfSSL team know!