1SURICATA(1)                        Suricata                        SURICATA(1)
2
3
4

NAME

6       suricata - Suricata
7

SYNOPSIS

9       suricata [OPTIONS] [BPF FILTER]
10

DESCRIPTION

12       Suricata  is  a  high performance Network IDS, IPS and Network Security
13       Monitoring engine. Open Source and owned by a community run  non-profit
14       foundation, the Open Information Security Foundation (OISF).
15

OPTIONS

17       -h     Display a brief usage overview.
18
19       -V     Displays the version of Suricata.
20
21       -c <path>
22              Path to configuration file.
23
24       -T     Test configuration.
25
26       -v     Increase  the  verbosity  of the Suricata application logging by
27              increasing the log level from the default. This  option  can  be
28              passed multiple times to further increase the verbosity.
29
30              · -v: INFO
31
32              · -vv: PERF
33
34              · -vvv: CONFIG
35
36              · -vvvv: DEBUG
37
38              This  option will not decrease the log level set in the configu‐
39              ration file if  it  is  already  more  verbose  than  the  level
40              requested with this option.
41
42       -r <path>
43              Run  in  pcap offline mode (replay mode) reading files from pcap
44              file. If <path> specifies a directory, all files in that  direc‐
45              tory  will  be  processed  in order of modified time maintaining
46              flow state between files.
47
48       --pcap-file-continuous
49              Used with the -r option to indicate that the  mode  should  stay
50              alive  until interrupted. This is useful with directories to add
51              new files and not reset flow state between files.
52
53       --pcap-file-delete
54              Used with the -r option to indicate that the mode should  delete
55              pcap  files  after they have been processed. This is useful with
56              pcap-file-continuous to continuously feed files to  a  directory
57              and  have  them cleaned up when done. If this option is not set,
58              pcap files will not be deleted after processing.
59
60       -i <interface>
61              After the -i option you can enter the interface card  you  would
62              like  to use to sniff packets from.  This option will try to use
63              the best capture method available. Can be used several times  to
64              sniff packets from several interfaces.
65
66       --pcap[=<device>]
67              Run  in  PCAP mode. If no device is provided the interfaces pro‐
68              vided in the pcap section of  the  configuration  file  will  be
69              used.
70
71       --af-packet[=<device>]
72              Enable  capture of packet using AF_PACKET on Linux. If no device
73              is supplied, the list of devices from the af-packet  section  in
74              the yaml is used.
75
76       -q <queue id>
77              Run  inline  of  the  NFQUEUE queue ID provided. May be provided
78              multiple times.
79
80       -s <filename.rules>
81              With the -s option you can set a  file  with  signatures,  which
82              will be loaded together with the rules set in the yaml.
83
84       -S <filename.rules>
85              With  the  -S  option  you can set a file with signatures, which
86              will be loaded exclusively, regardless of the rules set  in  the
87              yaml.
88
89       -l <directory>
90              With the -l option you can set the default log directory. If you
91              already have the default-log-dir set in yaml,  it  will  not  be
92              used  by  Suricata if you use the -l option. It will use the log
93              dir that is set with the -l option. If you do not set  a  direc‐
94              tory with the -l option, Suricata will use the directory that is
95              set in yaml.
96
97       -D     Normally if you run Suricata on your console, it keeps your con‐
98              sole  occupied.  You can not use it for other purposes, and when
99              you close the window, Suricata stops running.  If you run  Suri‐
100              cata  as daemon (using the -D option), it runs at the background
101              and you will be able to use the console for other tasks  without
102              disturbing the engine running.
103
104       --runmode <runmode>
105              With the --runmode option you can set the runmode that you would
106              like to use. This command line option can override the yaml run‐
107              mode option.
108
109              Runmodes are: workers, autofp and single.
110
111              For  more  information  about  runmodes see Runmodes in the user
112              guide.
113
114       -F <bpf filter file>
115              Use BPF filter from file.
116
117       -k [all|none]
118              Force (all) the checksum check or disable  (none)  all  checksum
119              checks.
120
121       --user=<user>
122              Set  the  process  user after initialization. Overrides the user
123              provided in the run-as section of the configuration file.
124
125       --group=<group>
126              Set the process group to group after  initialization.  Overrides
127              the  group  provided  in the run-as section of the configuration
128              file.
129
130       --pidfile <file>
131              Write the process ID to file. Overrides the pid-file  option  in
132              the  configuration  file  and forces the file to be written when
133              not running as a daemon.
134
135       --init-errors-fatal
136              Exit with a failure when errors are encountered  loading  signa‐
137              tures.
138
139       --disable-detection
140              Disable the detection engine.
141
142       --dump-config
143              Dump the configuration loaded from the configuration file to the
144              terminal and exit.
145
146       --build-info
147              Display the build information the Suricata was built with.
148
149       --list-app-layer-protos
150              List all supported application layer protocols.
151
152       --list-keywords=[all|csv|<kword>]
153              List all supported rule keywords.
154
155       --list-runmodes
156              List all supported run modes.
157
158       --set <key>=<value>
159              Set a configuration value. Useful for overriding basic  configu‐
160              ration  parameters  in the configuration. For example, to change
161              the default log directory:
162
163                 --set default-log-dir=/var/tmp
164
165       --engine-analysis
166              Print reports on analysis of different sections  in  the  engine
167              and exit. Please have a look at the conf parameter engine-analy‐
168              sis on what reports can be printed
169
170       --unix-socket=<file>
171              Use file as the Suricata  unix  control  socket.  Overrides  the
172              filename  provided in the unix-command section of the configura‐
173              tion file.
174
175       --pcap-buffer-size=<size>
176              Set the size of the PCAP buffer (0 - 2147483647).
177
178       --netmap[=<device>]
179              Enable capture of packet using NETMAP on FreeBSD or Linux. If no
180              device  is supplied, the list of devices from the netmap section
181              in the yaml is used.
182
183       --pfring[=<device>]
184              Enable PF_RING  packet  capture.  If  no  device  provided,  the
185              devices in the Suricata configuration will be used.
186
187       --pfring-cluster-id <id>
188              Set the PF_RING cluster ID.
189
190       --pfring-cluster-type <type>
191              Set   the   PF_RING  cluster  type  (cluster_round_robin,  clus‐
192              ter_flow).
193
194       -d <divert-port>
195              Run inline using IPFW divert mode.
196
197       --dag <device>
198              Enable packet capture off a DAG card. If capturing  off  a  spe‐
199              cific  stream  the stream can be select using a device name like
200              "dag0:4". This option may be provided multiple  times  read  off
201              multiple devices and/or streams.
202
203       --napatech
204              Enable packet capture using the Napatech Streams API.
205
206       --erf-in=<file>
207              Run in offline mode reading the specific ERF file (Endace exten‐
208              sible record format).
209
210       --simulate-ips
211              Simulate IPS mode when running in a non-IPS mode.
212

OPTIONS FOR DEVELOPERS

214       -u     Run the unit tests and exit. Requires that Suricata be  compiled
215              with --enable-unittests.
216
217       -U, --unittest-filter=REGEX
218              With  the  -U  option you can select which of the unit tests you
219              want to run. This option uses REGEX. Example of use: suricata -u
220              -U http
221
222       --list-unittests
223              List all unit tests.
224
225       --fatal-unittests
226              Enables  fatal  failure on a unit test error. Suricata will exit
227              instead of continuing more tests.
228
229       --unittests-coverage
230              Display unit test coverage report.
231

SIGNALS

233       Suricata will respond to the following signals:
234
235       SIGUSR2
236              Causes Suricata to perform a live rule reload.
237
238       SIGHUP Causes Suricata to close and re-open all log files. This can  be
239              used to re-open log files after they may have been moved away by
240              log rotation utilities.
241

FILES AND DIRECTORIES

243       /usr/local/etc/suricata/suricata.yaml
244              Default location of the Suricata configuration file.
245
246       /usr/local/var/log/suricata
247              Default Suricata log directory.
248

BUGS

250       Please visit Suricata's support page for information  about  submitting
251       bugs or feature requests.
252

NOTES

254       · Suricata Home Page
255            https://suricata-ids.org/
256
257       · Suricata Support Page
258            https://suricata-ids.org/support/
259
261       2016-2019, OISF
262
263
264
265
2665.0.3                            Apr 28, 2020                      SURICATA(1)
Impressum