.TH SURICATA 8 "10 Oct 2016" .SH NAME suricata \- Next Generation Intrusion Detection and Prevention Tool .SH SYNOPSIS .BI "suricata [OPTIONS] [BPF FILTER]" .br .SH DESCRIPTION \fBsuricata\fP is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content. This engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and hardware acceleration on CUDA, OpenCL GPU cards and more. It supports acquiring packets through AF_PACKET, NFQUEUE, PF_RING, PCAP (live or offline) and more. .PP .SH OPTIONS .TP .BI "-c " Load main configuration file (by default, \fI/etc/suricata/suricata.yaml\fP). .TP .BI -T Test configuration file (use with \fI-c\fP). .TP .BI "-i " Run in PCAP live mode. .TP .BI "-F " Load BPF filter file. .TP .BI "-r " Run in PCAP file/offile mode. .TP .BI "-q " Run in inline NFQUEUE mode. .TP .BI "-s " Load signature file in addition to the main configuration file. .TP .BI "-S " Load signature file exclusively. .TP .BI "-l " Set log directory (by default /var/log/suricata). .TP .BI -D Run as a background daemon (suricata will fork itself). .TP .BI "-k [all|none]" Force checksum cheks (all) or disable it (none). .TP .BI -V Print \fBsuricata\fP version. .TP .BI -v[v] Increase default verbosity. .TP .BI --list-app-layer-protos Print list of supported app layer protocols. .TP .BI --list-keywords[=all|csv|] List keywords implemented by the engine. .TP .BI --list-runmodes List supported runmodes. .TP .BI "--runmode " Specific runmode in which the engine should run. The argument \fIrunmode_id\fP should be the id of the runmode obtained using \fI--list-runmodes\fP. .TP .BI --engine-analysis Print reports on analysis of different sections in the engine. .TP .BI "--pidfile " Write PID to the file. .TP .BI --init-errors-fatal Enable fatal failure on signature init error. .TP .BI --disable-detection Disable detection engine. .TP .BI --dump-config Show the running configuration. .TP .BI --build-info Display build information. .TP .BI --pacp[=] Run in PCAP mode. No \fIdev\fP value selects interfaces from main configuration file. .TP .BI --pcap-buffer-size Size of PCAP buffer. Values from 0 to 2147483647. .TP .BI --af-packet[=] Run in AF_PACKET mode. No \fIdev\fP value selects interfaces from main configuration file. .TP .BI --simulate-ips Force engine into IPS mode. Useful for QA. .TP .BI "--user " Run \fBsuricata\fP as this \fIuser\fP after init. .TP .BI "--group " Run \fBsuricata\fP as this \fIgorup\fP after init. .TP .BI "--unix-socket[=] UNIX socket to control \fBsuricata\fP work from \fBsuricatasc(1)\fP. The default is /var/run/suricata-command.socket. .TP .BI "--set name=value" Set configuration variable \fIname\fP to \fIvalue\fP. .SH EXAMPLES To run the engine with default configuration on interface eth0 with signature file "signatiures.rules", run the command as: % suricata -c suricata.yaml -s signatures.rules -i eth0 .SH SEE ALSO .BR suricatasc (1), .BR tcpdump (1), .BR pcap (3). .SH AUTHOR suricata was written by the Open Information Security Foundation. .PP This manual page was written by Pierre Chifflier and Arturo Borrero Gonzalez for the Debian project (and may be used by others).