Scroll to navigation

SURICATA(8) System Manager's Manual SURICATA(8)

NAME

suricata - Next Generation Intrusion Detection and Prevention Tool

SYNOPSIS

suricata [OPTIONS] [BPF FILTER]

DESCRIPTION

suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content.

This engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and hardware acceleration on CUDA, OpenCL GPU cards and more.

It supports acquiring packets through AF_PACKET, NFQUEUE, PF_RING, PCAP (live or offline) and more.

OPTIONS

Load main configuration file (by default, /etc/suricata/suricata.yaml).

Test configuration file (use with -c).

Run in PCAP live mode.

Load BPF filter file.

Run in PCAP file/offile mode.

Run in inline NFQUEUE mode.

Load signature file in addition to the main configuration file.

Load signature file exclusively.

Set log directory (by default /var/log/suricata).

Run as a background daemon (suricata will fork itself).

Force checksum cheks (all) or disable it (none).

Print suricata version.

Increase default verbosity.

Print list of supported app layer protocols.

List keywords implemented by the engine.

List supported runmodes.

Specific runmode in which the engine should run. The argument runmode_id should be the id of the runmode obtained using --list-runmodes.

Print reports on analysis of different sections in the engine.

Write PID to the file.

Enable fatal failure on signature init error.

Disable detection engine.

Show the running configuration.

Display build information.

Run in PCAP mode. No dev value selects interfaces from main configuration file.

Size of PCAP buffer. Values from 0 to 2147483647.

Run in AF_PACKET mode. No dev value selects interfaces from main configuration file.

Force engine into IPS mode. Useful for QA.

Run suricata as this user after init.

Run suricata as this gorup after init.

UNIX socket to control suricata work from suricatasc(1). The default is /var/run/suricata-command.socket.

Set configuration variable name to value.

EXAMPLES

To run the engine with default configuration on interface eth0 with signature file "signatiures.rules", run the command as:


% suricata -c suricata.yaml -s signatures.rules -i eth0

SEE ALSO

suricatasc(1), tcpdump(1), pcap(3).

AUTHOR

suricata was written by the Open Information Security Foundation.

This manual page was written by Pierre Chifflier <pollux@debian.org> and Arturo Borrero Gonzalez <arturo@debian.org> for the Debian project (and may be used by others).

10 Oct 2016