Feature Request: Support for nDPI for Suricata 8+

[da667]

Hello!

I wanted to submit a request to support nDPI and hyperscan for Suricata containers running version 8+.

details: https://docs.suricata.io/en/suricata-8.0.3/plugins/ndpi.html

I've managed to do this successfully through the creation of a custom dockerfile, and custom suricata.yaml. I'm willing to do the work and submit a pull request, since I already got it figured out, but just wanted to see how you wanted to proceed.

The dockerfile change I'm proposing also includes new instructions to acquire vectorscan, a hyperscan replacement, and compile it from source. I wanted to know if you were interested in a single Dockerfile with both of these changes, or if you wanted those tracked in separate issues, and separate pull requests, or if this is customization that you want to leave as a choice to the users. In which case, I'm playing on writing a tutorial on how to do this.

As always, thank you for making and continuing to support Dalton.

-Tony

[whartond]

Tony,

Thanks for the submission. It's always good to hear that other folks use and get value out of Dalton.

I'm not sure Hyperscan/Vectorscan really adds much to Dalton. It can speed up pattern matching in some cases and certainly makes a difference with MPM and improving performance in production deployments. But for a docker-based rule testing software package, it doesn't seem necessary. I know there have been improvements with startup times in recent Suricata releases, but if you have hyperscan, you have to build the hyperscan DB on startup, which takes time. Dalton is used more for frequent, ad-hoc, small runs, so hyperscan may create longer job times overall. Have you tested this? What benefits does hyperscan/vectorscan bring to Dalton?

[da667]

regarding hyperscan: you make a good point, it does lead to a slightly higher delay in getting results, at least when I first tested it, with a full default ET ruleset, it took a good few seconds on a moderately powerful VM.

I really only want it to be able to more accurate mirror performance results in production environments, but I can see where its not really in the best interests of the user, looking for quick pcap results.

Besides that, creating a custom dockerfile to compile it is trivial, so that can be left as a user choice, and I'll just write my tutorial on how to do it.

[da667]

I realized in my post above I didn't exactly state why I would like to see nDPI support in Dalton.

As far as support for nDPI, I was looking to get that enabled in future Suricata docker images to make use of the new nDPI keywords available in Suricata 8+.

I'm experimenting with it, and it seems like a useful feature that has an active community.

[whartond]

Re: nDPI - make sense. I haven't investigated in depth, but at first glance, adding support seems like it isn't much more than a package install and compile flag.

[rkoumis]

Thanks, so I think we have:

1. nDPI - your PR would be welcome
2. Hyperscan - your write-up would be welcome

[da667]

Okay. I have a very detailed post on the emerging threats community site on how to do both: when does reality end? when does fantasy begin?

…

On Fri, Feb 27, 2026, 9:27 AM Robin Koumis (Sophos) < ***@***.***> wrote: *rkoumis* left a comment (secureworks/dalton#254) <#254 (comment)> Thanks, so I think we have: 1. nDPI - your PR would be welcome 2. Hyperscan - your write-up would be welcome — Reply to this email directly, view it on GitHub <#254 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQW676TAG5UU5EYU7MFHYT4OBH67AVCNFSM6AAAAACVWL6TLGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTSNZTGI2DINJRGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[da667]

I'm sorry, i hit send on that email a bit too fast. As i said, i have a detailed writeup, and its over here: https://community.emergingthreats.net/t/operating-in-the-margins-experimenting-with-suricata-features/3207 As far as a PR is concerned, i will have one soon. Expect the pr to contain a suricata 8.0 yaml file with the ndpi plugin enabled, and a new dockerfile for adding ndpi support. I will work on it soon. Thank you very much, and have a great weekend when does reality end? when does fantasy begin?

…

On Fri, Feb 27, 2026, 9:50 AM ayy lmao ***@***.***> wrote: Okay. I have a very detailed post on the emerging threats community site on how to do both: when does reality end? when does fantasy begin? On Fri, Feb 27, 2026, 9:27 AM Robin Koumis (Sophos) < ***@***.***> wrote: > *rkoumis* left a comment (secureworks/dalton#254) > <#254 (comment)> > > Thanks, so I think we have: > > 1. nDPI - your PR would be welcome > 2. Hyperscan - your write-up would be welcome > > — > Reply to this email directly, view it on GitHub > <#254 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAQW676TAG5UU5EYU7MFHYT4OBH67AVCNFSM6AAAAACVWL6TLGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTSNZTGI2DINJRGQ> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >