NAME

suricata - Next Generation Intrusion Detection and Prevention Tool

SYNOPSIS

suricata [OPTIONS] [BPF FILTER]

DESCRIPTION

suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content.

This engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and hardware acceleration on CUDA, OpenCL GPU cards and more.

It supports acquiring packets through AF_PACKET, NFQUEUE, PF_RING, PCAP (live or offline) and more.

OPTIONS

-c <path>

Load main configuration file (by default, /etc/suricata/suricata.yaml).

-T

Test configuration file (use with -c).

-i <dev or ip>

Run in PCAP live mode.

-F <bpf filter file>

Load BPF filter file.

-r <path>

Run in PCAP file/offile mode.

-q <qid>

Run in inline NFQUEUE mode.

-s <path>

Load signature file in addition to the main configuration file.

-S <path>

Load signature file exclusively.

-l <dir>

Set log directory (by default /var/log/suricata).

-D

Run as a background daemon (suricata will fork itself).

-k [all|none]

Force checksum cheks (all) or disable it (none).

-V

Print suricata version.

-v[v]

Increase default verbosity.

--list-app-layer-protos

Print list of supported app layer protocols.

--list-keywords[=all|csv|<kword>]

List keywords implemented by the engine.

--list-runmodes

List supported runmodes.

--runmode <runomde_id>

Specific runmode in which the engine should run. The argument runmode_id should be the id of the runmode obtained using --list-runmodes.

--engine-analysis

Print reports on analysis of different sections in the engine.

--pidfile <path>

Write PID to the file.

--init-errors-fatal

Enable fatal failure on signature init error.

--disable-detection

Disable detection engine.

--dump-config

Show the running configuration.

--build-info

Display build information.

--pacp[=<dev>]

Run in PCAP mode. No dev value selects interfaces from main configuration file.

--pcap-buffer-size

Size of PCAP buffer. Values from 0 to 2147483647.

--af-packet[=<dev>]

Run in AF_PACKET mode. No dev value selects interfaces from main configuration file.

--simulate-ips

Force engine into IPS mode. Useful for QA.

--user <user>

Run suricata as this user after init.

--group <group>

Run suricata as this gorup after init.

--unix-socket[=<file>]

UNIX socket to control suricata work from suricatasc(1). The default is /var/run/suricata-command.socket.

--set name=value

Set configuration variable name to value.

EXAMPLES

To run the engine with default configuration on interface eth0 with signature file "signatiures.rules", run the command as:

% suricata -c suricata.yaml -s signatures.rules -i eth0

SEE ALSO

suricatasc(1), tcpdump(1), pcap(3).

AUTHOR

suricata was written by the Open Information Security Foundation.

This manual page was written by Pierre Chifflier <pollux@debian.org> and Arturo Borrero Gonzalez <arturo@debian.org> for the Debian project (and may be used by others).