1SURICATA(1) Suricata SURICATA(1)
2
6 suricata - Suricata
7
9 suricata [OPTIONS] [BPF FILTER]
10
12 Suricata is a high performance Network IDS, IPS and Network Security
13 Monitoring engine. Open Source and owned by a community run non-profit
14 foundation, the Open Information Security Foundation (OISF).
15
17 -h Display a brief usage overview.
18 -V Displays the version of Suricata.
20 -c <path>
22 Path to configuration file.
23 -T Test configuration.
25 -v Increase the verbosity of the Suricata application logging by
27 increasing the log level from the default. This option can be
28 passed multiple times to further increase the verbosity.
29 · -v: INFO
31 · -vv: PERF
33 · -vvv: CONFIG
35 · -vvvv: DEBUG
37 This option will not decrease the log level set in the configu‐
39 ration file if it is already more verbose than the level
40 requested with this option.
41 -r <path>
43 Run in pcap offline mode (replay mode) reading files from pcap
44 file. If <path> specifies a directory, all files in that direc‐
45 tory will be processed in order of modified time maintaining
46 flow state between files.
47 --pcap-file-continuous
49 Used with the -r option to indicate that the mode should stay
50 alive until interrupted. This is useful with directories to add
51 new files and not reset flow state between files.
52 --pcap-file-delete
54 Used with the -r option to indicate that the mode should delete
55 pcap files after they have been processed. This is useful with
56 pcap-file-continuous to continuously feed files to a directory
57 and have them cleaned up when done. If this option is not set,
58 pcap files will not be deleted after processing.
59 -i <interface>
61 After the -i option you can enter the interface card you would
62 like to use to sniff packets from. This option will try to use
63 the best capture method available. Can be used several times to
64 sniff packets from several interfaces.
65 --pcap[=<device>]
67 Run in PCAP mode. If no device is provided the interfaces pro‐
68 vided in the pcap section of the configuration file will be
69 used.
70 --af-packet[=<device>]
72 Enable capture of packet using AF_PACKET on Linux. If no device
73 is supplied, the list of devices from the af-packet section in
74 the yaml is used.
75 -q <queue id>
77 Run inline of the NFQUEUE queue ID provided. May be provided
78 multiple times.
79 -s <filename.rules>
81 With the -s option you can set a file with signatures, which
82 will be loaded together with the rules set in the yaml.
83 -S <filename.rules>
85 With the -S option you can set a file with signatures, which
86 will be loaded exclusively, regardless of the rules set in the
87 yaml.
88 -l <directory>
90 With the -l option you can set the default log directory. If you
91 already have the default-log-dir set in yaml, it will not be
92 used by Suricata if you use the -l option. It will use the log
93 dir that is set with the -l option. If you do not set a direc‐
94 tory with the -l option, Suricata will use the directory that is
95 set in yaml.
96 -D Normally if you run Suricata on your console, it keeps your con‐
98 sole occupied. You can not use it for other purposes, and when
99 you close the window, Suricata stops running. If you run Suri‐
100 cata as daemon (using the -D option), it runs at the background
101 and you will be able to use the console for other tasks without
102 disturbing the engine running.
103 --runmode <runmode>
105 With the --runmode option you can set the runmode that you would
106 like to use. This command line option can override the yaml run‐
107 mode option.
108 Runmodes are: workers, autofp and single.
110 For more information about runmodes see Runmodes in the user
112 guide.
113 -F <bpf filter file>
115 Use BPF filter from file.
116 -k [all|none]
118 Force (all) the checksum check or disable (none) all checksum
119 checks.
120 --user=<user>
122 Set the process user after initialization. Overrides the user
123 provided in the run-as section of the configuration file.
124 --group=<group>
126 Set the process group to group after initialization. Overrides
127 the group provided in the run-as section of the configuration
128 file.
129 --pidfile <file>
131 Write the process ID to file. Overrides the pid-file option in
132 the configuration file and forces the file to be written when
133 not running as a daemon.
134 --init-errors-fatal
136 Exit with a failure when errors are encountered loading signa‐
137 tures.
138 --disable-detection
140 Disable the detection engine.
141 --dump-config
143 Dump the configuration loaded from the configuration file to the
144 terminal and exit.
145 --build-info
147 Display the build information the Suricata was built with.
148 --list-app-layer-protos
150 List all supported application layer protocols.
151 --list-keywords=[all|csv|<kword>]
153 List all supported rule keywords.
154 --list-runmodes
156 List all supported run modes.
157 --set <key>=<value>
159 Set a configuration value. Useful for overriding basic configu‐
160 ration parameters in the configuration. For example, to change
161 the default log directory:
162 --set default-log-dir=/var/tmp
164 --engine-analysis
166 Print reports on analysis of different sections in the engine
167 and exit. Please have a look at the conf parameter engine-analy‐
168 sis on what reports can be printed
169 --unix-socket=<file>
171 Use file as the Suricata unix control socket. Overrides the
172 filename provided in the unix-command section of the configura‐
173 tion file.
174 --pcap-buffer-size=<size>
176 Set the size of the PCAP buffer (0 - 2147483647).
177 --netmap[=<device>]
179 Enable capture of packet using NETMAP on FreeBSD or Linux. If no
180 device is supplied, the list of devices from the netmap section
181 in the yaml is used.
182 --pfring[=<device>]
184 Enable PF_RING packet capture. If no device provided, the
185 devices in the Suricata configuration will be used.
186 --pfring-cluster-id <id>
188 Set the PF_RING cluster ID.
189 --pfring-cluster-type <type>
191 Set the PF_RING cluster type (cluster_round_robin, clus‐
192 ter_flow).
193 -d <divert-port>
195 Run inline using IPFW divert mode.
196 --dag <device>
198 Enable packet capture off a DAG card. If capturing off a spe‐
199 cific stream the stream can be select using a device name like
200 "dag0:4". This option may be provided multiple times read off
201 multiple devices and/or streams.
202 --napatech
204 Enable packet capture using the Napatech Streams API.
205 --erf-in=<file>
207 Run in offline mode reading the specific ERF file (Endace exten‐
208 sible record format).
209 --simulate-ips
211 Simulate IPS mode when running in a non-IPS mode.
212
214 -u Run the unit tests and exit. Requires that Suricata be compiled
215 with --enable-unittests.
216 -U, --unittest-filter=REGEX
218 With the -U option you can select which of the unit tests you
219 want to run. This option uses REGEX. Example of use: suricata -u
220 -U http
221 --list-unittests
223 List all unit tests.
224 --fatal-unittests
226 Enables fatal failure on a unit test error. Suricata will exit
227 instead of continuing more tests.
228 --unittests-coverage
230 Display unit test coverage report.
231
233 Suricata will respond to the following signals:
234 SIGUSR2
236 Causes Suricata to perform a live rule reload.
237 SIGHUP Causes Suricata to close and re-open all log files. This can be
239 used to re-open log files after they may have been moved away by
240 log rotation utilities.
241
243 /usr/local/etc/suricata/suricata.yaml
244 Default location of the Suricata configuration file.
245 /usr/local/var/log/suricata
247 Default Suricata log directory.
248
250 Please visit Suricata's support page for information about submitting
251 bugs or feature requests.
252
254 · Suricata Home Page
255 https://suricata-ids.org/
256 · Suricata Support Page
258 https://suricata-ids.org/support/
259
261 2016-2019, OISF
2625.0.6 March 01, 2021 SURICATA(1)