1SURICATA(1) Suricata SURICATA(1)
2
3
4
6 suricata - Suricata
7
9 suricata [OPTIONS] [BPF FILTER]
10
12 Suricata is a high performance Network IDS, IPS and Network Security
13 Monitoring engine. Open Source and owned by a community run non-profit
14 foundation, the Open Information Security Foundation (OISF).
15
17 -h Display a brief usage overview.
18
19 -V Displays the version of Suricata.
20
21 -c <path>
22 Path to configuration file.
23
24 -T Test configuration.
25
26 -v The -v option enables more verbosity of Suricata's output. Sup‐
27 ply multiple times for more verbosity.
28
29 -r <path>
30 Run in pcap offline mode (replay mode) reading files from pcap
31 file. If <path> specifies a directory, all files in that direc‐
32 tory will be processed in order of modified time maintaining
33 flow state between files.
34
35 --pcap-file-continuous
36 Used with the -r option to indicate that the mode should stay
37 alive until interrupted. This is useful with directories to add
38 new files and not reset flow state between files.
39
40 --pcap-file-delete
41 Used with the -r option to indicate that the mode should delete
42 pcap files after they have been processed. This is useful with
43 pcap-file-continuous to continuously feed files to a directory
44 and have them cleaned up when done. If this option is not set,
45 pcap files will not be deleted after processing.
46
47 -i <interface>
48 After the -i option you can enter the interface card you would
49 like to use to sniff packets from. This option will try to use
50 the best capture method available.
51
52 --pcap[=<device>]
53 Run in PCAP mode. If no device is provided the interfaces pro‐
54 vided in the pcap section of the configuration file will be
55 used.
56
57 --af-packet[=<device>]
58 Enable capture of packet using AF_PACKET on Linux. If no device
59 is supplied, the list of devices from the af-packet section in
60 the yaml is used.
61
62 -q <queue id>
63 Run inline of the NFQUEUE queue ID provided. May be provided
64 multiple times.
65
66 -s <filename.rules>
67 With the -s option you can set a file with signatures, which
68 will be loaded together with the rules set in the yaml.
69
70 -S <filename.rules>
71 With the -S option you can set a file with signatures, which
72 will be loaded exclusively, regardless of the rules set in the
73 yaml.
74
75 -l <directory>
76 With the -l option you can set the default log directory. If you
77 already have the default-log-dir set in yaml, it will not be
78 used by Suricata if you use the -l option. It will use the log
79 dir that is set with the -l option. If you do not set a direc‐
80 tory with the -l option, Suricata will use the directory that is
81 set in yaml.
82
83 -D Normally if you run Suricata on your console, it keeps your con‐
84 sole occupied. You can not use it for other purposes, and when
85 you close the window, Suricata stops running. If you run Suri‐
86 cata as daemon (using the -D option), it runs at the background
87 and you will be able to use the console for other tasks without
88 disturbing the engine running.
89
90 --runmode <runmode>
91 With the --runmode option you can set the runmode that you would
92 like to use. This command line option can override the yaml run‐
93 mode option.
94
95 Runmodes are: workers, autofp and single.
96
97 For more information about runmodes see Runmodes in the user
98 guide.
99
100 -F <bpf filter file>
101 Use BPF filter from file.
102
103 -k [all|none]
104 Force (all) the checksum check or disable (none) all checksum
105 checks.
106
107 --user=<user>
108 Set the process user after initialization. Overrides the user
109 provided in the run-as section of the configuration file.
110
111 --group=<group>
112 Set the process group to group after initialization. Overrides
113 the group provided in the run-as section of the configuration
114 file.
115
116 --pidfile <file>
117 Write the process ID to file. Overrides the pid-file option in
118 the configuration file and forces the file to be written when
119 not running as a daemon.
120
121 --init-errors-fatal
122 Exit with a failure when errors are encountered loading signa‐
123 tures.
124
125 --disable-detection
126 Disable the detection engine.
127
128 --dump-config
129 Dump the configuration loaded from the configuration file to the
130 terminal and exit.
131
132 --build-info
133 Display the build information the Suricata was built with.
134
135 --list-app-layer-protos
136 List all supported application layer protocols.
137
138 --list-keywords=[all|csv|<kword>]
139 List all supported rule keywords.
140
141 --list-runmodes
142 List all supported run modes.
143
144 --set <key>=<value>
145 Set a configuration value. Useful for overriding basic configu‐
146 ration parameters in the configuration. For example, to change
147 the default log directory:
148
149 --set default-log-dir=/var/tmp
150
151 --engine-analysis
152 Print reports on analysis of different sections in the engine
153 and exit. Please have a look at the conf parameter engine-analy‐
154 sis on what reports can be printed
155
156 --unix-socket=<file>
157 Use file as the Suricata unix control socket. Overrides the
158 filename provided in the unix-command section of the configura‐
159 tion file.
160
161 --pcap-buffer-size=<size>
162 Set the size of the PCAP buffer (0 - 2147483647).
163
164 --netmap[=<device>]
165 Enable capture of packet using NETMAP on FreeBSD or Linux. If no
166 device is supplied, the list of devices from the netmap section
167 in the yaml is used.
168
169 --pfring[=<device>]
170 Enable PF_RING packet capture. If no device provided, the
171 devices in the Suricata configuration will be used.
172
173 --pfring-cluster-id <id>
174 Set the PF_RING cluster ID.
175
176 --pfring-cluster-type <type>
177 Set the PF_RING cluster type (cluster_round_robin, clus‐
178 ter_flow).
179
180 -d <divert-port>
181 Run inline using IPFW divert mode.
182
183 --dag <device>
184 Enable packet capture off a DAG card. If capturing off a spe‐
185 cific stream the stream can be select using a device name like
186 "dag0:4". This option may be provided multiple times read off
187 multiple devices and/or streams.
188
189 --napatech
190 Enable packet capture using the Napatech Streams API.
191
192 --mpipe
193 Enable packet capture using the TileGX mpipe interface.
194
195 --erf-in=<file>
196 Run in offline mode reading the specific ERF file (Endace exten‐
197 sible record format).
198
199 --simulate-ips
200 Simulate IPS mode when running in a non-IPS mode.
201
203 -u Run the unit tests and exit. Requires that Suricata be compiled
204 with --enable-unittests.
205
206 -U, --unittest-filter=REGEX
207 With the -U option you can select which of the unit tests you
208 want to run. This option uses REGEX. Example of use: suricata -u
209 -U http
210
211 --list-unittests
212 List all unit tests.
213
214 --fatal-unittests
215 Enables fatal failure on a unit test error. Suricata will exit
216 instead of continuing more tests.
217
218 --unittests-coverage
219 Display unit test coverage report.
220
222 Suricata will respond to the following signals:
223
224 SIGUSR2
225 Causes Suricata to perform a live rule reload.
226
227 SIGHUP Causes Suricata to close and re-open all log files. This can be
228 used to re-open log files after they may have been moved away by
229 log rotation utilities.
230
232 /usr/local/etc/suricata/suricata.yaml
233 Default location of the Suricata configuration file.
234
235 /usr/local/var/log/suricata
236 Default Suricata log directory.
237
239 Please visit Suricata's support page for information about submitting
240 bugs or feature requests.
241
243 · Suricata Home Page
244 https://suricata-ids.org/
245
246 · Suricata Support Page
247 https://suricata-ids.org/support/
248
250 2016, OISF
251
252
253
254
2554.1.6 Dec 13, 2019 SURICATA(1)