1SURICATA(1)                        Suricata                        SURICATA(1)
2
3
4

NAME

6       suricata - Suricata
7

SYNOPSIS

9       suricata [OPTIONS] [BPF FILTER]
10

DESCRIPTION

12       Suricata  is  a  high performance Network IDS, IPS and Network Security
13       Monitoring engine. Open Source and owned by a community run  non-profit
14       foundation, the Open Information Security Foundation (OISF).
15

OPTIONS

17       -h     Display a brief usage overview.
18
19       -V     Displays the version of Suricata.
20
21       -c <path>
22              Path to configuration file.
23
24       -T     Test configuration.
25
26       -v     The  -v option enables more verbosity of Suricata's output. Sup‐
27              ply multiple times for more verbosity.
28
29       -r <path>
30              Run in pcap offline mode (replay mode) reading files  from  pcap
31              file.  If <path> specifies a directory, all files in that direc‐
32              tory will be processed in order  of  modified  time  maintaining
33              flow state between files.
34
35       --pcap-file-continuous
36              Used  with  the  -r option to indicate that the mode should stay
37              alive until interrupted. This is useful with directories to  add
38              new files and not reset flow state between files.
39
40       --pcap-file-delete
41              Used  with the -r option to indicate that the mode should delete
42              pcap files after they have been processed. This is  useful  with
43              pcap-file-continuous  to  continuously feed files to a directory
44              and have them cleaned up when done. If this option is  not  set,
45              pcap files will not be deleted after processing.
46
47       -i <interface>
48              After  the  -i option you can enter the interface card you would
49              like to use to sniff packets from.  This option will try to  use
50              the best capture method available.
51
52       --pcap[=<device>]
53              Run  in  PCAP mode. If no device is provided the interfaces pro‐
54              vided in the pcap section of  the  configuration  file  will  be
55              used.
56
57       --af-packet[=<device>]
58              Enable  capture of packet using AF_PACKET on Linux. If no device
59              is supplied, the list of devices from the af-packet  section  in
60              the yaml is used.
61
62       -q <queue id>
63              Run  inline  of  the  NFQUEUE queue ID provided. May be provided
64              multiple times.
65
66       -s <filename.rules>
67              With the -s option you can set a  file  with  signatures,  which
68              will be loaded together with the rules set in the yaml.
69
70       -S <filename.rules>
71              With  the  -S  option  you can set a file with signatures, which
72              will be loaded exclusively, regardless of the rules set  in  the
73              yaml.
74
75       -l <directory>
76              With the -l option you can set the default log directory. If you
77              already have the default-log-dir set in yaml,  it  will  not  be
78              used  by  Suricata if you use the -l option. It will use the log
79              dir that is set with the -l option. If you do not set  a  direc‐
80              tory with the -l option, Suricata will use the directory that is
81              set in yaml.
82
83       -D     Normally if you run Suricata on your console, it keeps your con‐
84              sole  occupied.  You can not use it for other purposes, and when
85              you close the window, Suricata stops running.  If you run  Suri‐
86              cata  as daemon (using the -D option), it runs at the background
87              and you will be able to use the console for other tasks  without
88              disturbing the engine running.
89
90       --runmode <runmode>
91              With the --runmode option you can set the runmode that you would
92              like to use. This command line option can override the yaml run‐
93              mode option.
94
95              Runmodes are: workers, autofp and single.
96
97              For  more  information  about  runmodes see Runmodes in the user
98              guide.
99
100       -F <bpf filter file>
101              Use BPF filter from file.
102
103       -k [all|none]
104              Force (all) the checksum check or disable  (none)  all  checksum
105              checks.
106
107       --user=<user>
108              Set  the  process  user after initialization. Overrides the user
109              provided in the run-as section of the configuration file.
110
111       --group=<group>
112              Set the process group to group after  initialization.  Overrides
113              the  group  provided  in the run-as section of the configuration
114              file.
115
116       --pidfile <file>
117              Write the process ID to file. Overrides the pid-file  option  in
118              the  configuration  file  and forces the file to be written when
119              not running as a daemon.
120
121       --init-errors-fatal
122              Exit with a failure when errors are encountered  loading  signa‐
123              tures.
124
125       --disable-detection
126              Disable the detection engine.
127
128       --dump-config
129              Dump the configuration loaded from the configuration file to the
130              terminal and exit.
131
132       --build-info
133              Display the build information the Suricata was built with.
134
135       --list-app-layer-protos
136              List all supported application layer protocols.
137
138       --list-keywords=[all|csv|<kword>]
139              List all supported rule keywords.
140
141       --list-runmodes
142              List all supported run modes.
143
144       --set <key>=<value>
145              Set a configuration value. Useful for overriding basic  configu‐
146              ration  parameters  in the configuration. For example, to change
147              the default log directory:
148
149                 --set default-log-dir=/var/tmp
150
151       --engine-analysis
152              Print reports on analysis of different sections  in  the  engine
153              and exit. Please have a look at the conf parameter engine-analy‐
154              sis on what reports can be printed
155
156       --unix-socket=<file>
157              Use file as the Suricata  unix  control  socket.  Overrides  the
158              filename  provided in the unix-command section of the configura‐
159              tion file.
160
161       --pcap-buffer-size=<size>
162              Set the size of the PCAP buffer (0 - 2147483647).
163
164       --netmap[=<device>]
165              Enable capture of packet using NETMAP on FreeBSD or Linux. If no
166              device  is supplied, the list of devices from the netmap section
167              in the yaml is used.
168
169       --pfring[=<device>]
170              Enable PF_RING  packet  capture.  If  no  device  provided,  the
171              devices in the Suricata configuration will be used.
172
173       --pfring-cluster-id <id>
174              Set the PF_RING cluster ID.
175
176       --pfring-cluster-type <type>
177              Set   the   PF_RING  cluster  type  (cluster_round_robin,  clus‐
178              ter_flow).
179
180       -d <divert-port>
181              Run inline using IPFW divert mode.
182
183       --dag <device>
184              Enable packet capture off a DAG card. If capturing  off  a  spe‐
185              cific  stream  the stream can be select using a device name like
186              "dag0:4". This option may be provided multiple  times  read  off
187              multiple devices and/or streams.
188
189       --napatech
190              Enable packet capture using the Napatech Streams API.
191
192       --mpipe
193              Enable packet capture using the TileGX mpipe interface.
194
195       --erf-in=<file>
196              Run in offline mode reading the specific ERF file (Endace exten‐
197              sible record format).
198
199       --simulate-ips
200              Simulate IPS mode when running in a non-IPS mode.
201

OPTIONS FOR DEVELOPERS

203       -u     Run the unit tests and exit. Requires that Suricata be  compiled
204              with --enable-unittests.
205
206       -U, --unittest-filter=REGEX
207              With  the  -U  option you can select which of the unit tests you
208              want to run. This option uses REGEX. Example of use: suricata -u
209              -U http
210
211       --list-unittests
212              List all unit tests.
213
214       --fatal-unittests
215              Enables  fatal  failure on a unit test error. Suricata will exit
216              instead of continuing more tests.
217
218       --unittests-coverage
219              Display unit test coverage report.
220

SIGNALS

222       Suricata will respond to the following signals:
223
224       SIGUSR2
225              Causes Suricata to perform a live rule reload.
226
227       SIGHUP Causes Suricata to close and re-open all log files. This can  be
228              used to re-open log files after they may have been moved away by
229              log rotation utilities.
230

FILES AND DIRECTORIES

232       /usr/local/etc/suricata/suricata.yaml
233              Default location of the Suricata configuration file.
234
235       /usr/local/var/log/suricata
236              Default Suricata log directory.
237

BUGS

239       Please visit Suricata's support page for information  about  submitting
240       bugs or feature requests.
241

NOTES

243       · Suricata Home Page
244            https://suricata-ids.org/
245
246       · Suricata Support Page
247            https://suricata-ids.org/support/
248
250       2016, OISF
251
252
253
254
2554.1.4                            Apr 30, 2019                      SURICATA(1)
Impressum