Skip to main content
SANDWORMSECURITY

Stillsuit

Packet filter · stateful · NGFW · WAF · IPS — one engine.

What is Stillsuit?

Stillsuit is a converged network security engine that delivers next-generation firewall (NGFW), web application firewall (WAF), and intrusion prevention system (IPS) capabilities in a single deployment. It is intended for network engineers and security teams that need deep packet inspection, TLS visibility, and application-layer control without operating multiple point products.

  • Inline L2 bridge or tap mode — start in observe-only mode before enforcing blocking policies.
  • App-ID classifies traffic by application name at Layer 7, independent of port or protocol.
  • TLS inspection decrypts, inspects, and re-encrypts sessions with certificate-pinning awareness.

Deploy the Stillsuit engine

Stillsuit can run in inline (L2 bridge) or tap mode. For new deployments, start with tap mode to observe traffic without blocking, then move to inline once policies are tuned.

  • Inline L2: configure a bridge interface on a Linux host with at least two NICs; Stillsuit manages packet forwarding.
  • Tap mode: mirror traffic via a SPAN port or network tap to a dedicated interface — no risk of blocking production traffic.
  • Container/VM deployments: use the provided OCI image with host network mode.
  • After deploying, register the sensor in the Trust Portal under Settings → Sensors.
  1. 1
    Choose a deployment mode.

    Select tap mode for initial deployment to observe without blocking. Inline mode requires configuring a Linux bridge with two physical or virtual NICs.

  2. 2
    Register the sensor.

    Copy the enrollment token from the Trust Portal under Settings → Sensors and set it as the STILLSUIT_TOKEN environment variable before starting the container.

  3. 3
    Confirm traffic is visible.

    Open Stillsuit → Traffic Dashboard and confirm event volume matches expected baseline before writing blocking policies.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Stillsuit combines a stateful packet filter, next-gen firewall (App-ID), web application firewall (WAF), and IPS in a single pass.

  • Policies: ordered rules matching on App-ID, zone, source/destination, user identity, and URL category.
  • App-ID: layer-7 application identification — block or throttle by application name, not just port.
  • TLS inspection: decrypt, inspect, and re-encrypt sessions for visibility into encrypted traffic (certificate pinning awareness included).
  • IPS signatures: updated regularly; tunable by severity and CVE to reduce false positives.
  • WAF rules: OWASP Core Rule Set base with Sandworm-managed additions; tunable per-application.

Your first policy

After sensor registration, navigate to Stillsuit → Policies → New Policy. The wizard walks you through zone assignment, App-ID selection, and action (allow/deny/log). Start in Log-Only mode before switching to Enforce.

  • Use the Traffic Dashboard to confirm events are flowing before writing blocking rules.
  • The Recommended Baseline policy generates a starter ruleset from observed application traffic.
  • DDoS mitigation thresholds are configured under Stillsuit → Protection → Rate Limits.

Integrations

Stillsuit feeds network telemetry into the broader Sandworm platform and can consume identity context from your IdP to enforce user-aware policies.

  • Identity: Okta, Microsoft Entra ID, Google Workspace — user identity is resolved and attached to traffic events.
  • Sandworm SIEM: traffic and IPS alert events are forwarded in OCSF format for correlation.
  • Sandworm SASE: Stillsuit covers on-premise and data-centre perimeters; Sandworm SASE handles cloud-delivered and remote-user access.
  • Sight (threat intel): Stillsuit subscribes to IoC feeds from Sight to block known-malicious IPs and domains in real time.
  • Elm (SOAR): high-severity IPS or WAF alerts can auto-create Elm investigation cases.

API and CLI

Manage Stillsuit policies and review traffic events via the sandworm CLI or REST API.

  • `sandworm stillsuit policies list` — list active policies.
  • `sandworm stillsuit events list --last 1h` — recent traffic events.
  • `sandworm stillsuit policy apply <policy-id>` — push a policy update to a sensor.
  • REST API: see the OpenAPI spec at /api/stillsuit/openapi.json on your deployment.
bash
sandworm stillsuit events list --last 1h --severity high
Book a demo← Back to Stillsuit
Stillsuit Docs | Sandworm Security