1SURICATA(1) Suricata SURICATA(1)
2
3
4
6 suricata - Suricata
7
9 suricata [OPTIONS] [BPF FILTER]
10
12 suricata is a high performance Network IDS, IPS and Network Security
13 Monitoring engine. Open Source and owned by a community run non-profit
14 foundation, the Open Information Security Foundation (OISF).
15
16 suricata can be used to analyze live traffic and pcap files. It can
17 generate alerts based on rules. suricata will generate traffic logs.
18
19 When used with live traffic suricata can be passive or active. Active
20 modes are: inline in a L2 bridge setup, inline with L3 integration with
21 host filewall (NFQ, IPFW, WinDivert), or out of band using active re‐
22 sponses.
23
25 -h Display a brief usage overview.
26
27 -V Displays the version of Suricata.
28
29 -c <path>
30 Path to configuration file.
31
32 -T Test configuration.
33
34 -v Increase the verbosity of the Suricata application logging by
35 increasing the log level from the default. This option can be
36 passed multiple times to further increase the verbosity.
37
38 • -v: INFO
39
40 • -vv: PERF
41
42 • -vvv: CONFIG
43
44 • -vvvv: DEBUG
45
46 This option will not decrease the log level set in the configu‐
47 ration file if it is already more verbose than the level re‐
48 quested with this option.
49
50 -r <path>
51 Run in pcap offline mode (replay mode) reading files from pcap
52 file. If <path> specifies a directory, all files in that direc‐
53 tory will be processed in order of modified time maintaining
54 flow state between files.
55
56 --pcap-file-continuous
57 Used with the -r option to indicate that the mode should stay
58 alive until interrupted. This is useful with directories to add
59 new files and not reset flow state between files.
60
61 --pcap-file-recursive
62 Used with the -r option when the path provided is a directory.
63 This option enables recursive traversal into subdirectories to a
64 maximum depth of 255. This option cannot be combined with
65 –pcap-file-continuous. Symlinks are ignored.
66
67 --pcap-file-delete
68 Used with the -r option to indicate that the mode should delete
69 pcap files after they have been processed. This is useful with
70 pcap-file-continuous to continuously feed files to a directory
71 and have them cleaned up when done. If this option is not set,
72 pcap files will not be deleted after processing.
73
74 -i <interface>
75 After the -i option you can enter the interface card you would
76 like to use to sniff packets from. This option will try to use
77 the best capture method available. Can be used several times to
78 sniff packets from several interfaces.
79
80 --pcap[=<device>]
81 Run in PCAP mode. If no device is provided the interfaces pro‐
82 vided in the pcap section of the configuration file will be
83 used.
84
85 --af-packet[=<device>]
86 Enable capture of packet using AF_PACKET on Linux. If no device
87 is supplied, the list of devices from the af-packet section in
88 the yaml is used.
89
90 -q <queue id>
91 Run inline of the NFQUEUE queue ID provided. May be provided
92 multiple times.
93
94 -s <filename.rules>
95 With the -s option you can set a file with signatures, which
96 will be loaded together with the rules set in the yaml.
97
98 -S <filename.rules>
99 With the -S option you can set a file with signatures, which
100 will be loaded exclusively, regardless of the rules set in the
101 yaml.
102
103 -l <directory>
104 With the -l option you can set the default log directory. If you
105 already have the default-log-dir set in yaml, it will not be
106 used by Suricata if you use the -l option. It will use the log
107 dir that is set with the -l option. If you do not set a direc‐
108 tory with the -l option, Suricata will use the directory that is
109 set in yaml.
110
111 -D Normally if you run Suricata on your console, it keeps your con‐
112 sole occupied. You can not use it for other purposes, and when
113 you close the window, Suricata stops running. If you run Suri‐
114 cata as daemon (using the -D option), it runs at the background
115 and you will be able to use the console for other tasks without
116 disturbing the engine running.
117
118 --runmode <runmode>
119 With the –runmode option you can set the runmode that you would
120 like to use. This command line option can override the yaml run‐
121 mode option.
122
123 Runmodes are: workers, autofp and single.
124
125 For more information about runmodes see Runmodes in the user
126 guide.
127
128 -F <bpf filter file>
129 Use BPF filter from file.
130
131 -k [all|none]
132 Force (all) the checksum check or disable (none) all checksum
133 checks.
134
135 --user=<user>
136 Set the process user after initialization. Overrides the user
137 provided in the run-as section of the configuration file.
138
139 --group=<group>
140 Set the process group to group after initialization. Overrides
141 the group provided in the run-as section of the configuration
142 file.
143
144 --pidfile <file>
145 Write the process ID to file. Overrides the pid-file option in
146 the configuration file and forces the file to be written when
147 not running as a daemon.
148
149 --init-errors-fatal
150 Exit with a failure when errors are encountered loading signa‐
151 tures.
152
153 --strict-rule-keywords[=all|<keyword>|<keywords(csv)]
154 Applies to: classtype, reference and app-layer-event.
155
156 By default missing reference or classtype values are warnings
157 and not errors. Additionally, loading outdated app-layer-event
158 events are also not treated as errors, but as warnings instead.
159
160 If this option is enabled these warnings are considered errors.
161
162 If no value, or the value ‘all’, is specified, the option ap‐
163 plies to all of the keywords above. Alternatively, a comma sepa‐
164 rated list can be supplied with the keyword names it should ap‐
165 ply to.
166
167 --disable-detection
168 Disable the detection engine.
169
170 --dump-config
171 Dump the configuration loaded from the configuration file to the
172 terminal and exit.
173
174 --dump-features
175 Dump the features provided by Suricata modules and exit. Fea‐
176 tures list (a subset of) the configuration values and are in‐
177 tended to assist with comparing provided features with those re‐
178 quired by one or more rules.
179
180 --build-info
181 Display the build information the Suricata was built with.
182
183 --list-app-layer-protos
184 List all supported application layer protocols.
185
186 --list-keywords=[all|csv|<kword>]
187 List all supported rule keywords.
188
189 --list-runmodes
190 List all supported run modes.
191
192 --set <key>=<value>
193 Set a configuration value. Useful for overriding basic configu‐
194 ration parameters. For example, to change the default log direc‐
195 tory:
196
197 --set default-log-dir=/var/tmp
198
199 This option cannot be used to add new entries to a list in the
200 configuration file, such as a new output. It can only be used to
201 modify a value in a list that already exists.
202
203 For example, to disable the eve-log in the default configuration
204 file:
205
206 --set outputs.1.eve-log.enabled=no
207
208 Also note that the index values may change as the suricata.yaml
209 is updated.
210
211 See the output of --dump-config for existing values that could
212 be modified with their index.
213
214 --engine-analysis
215 Print reports on analysis of different sections in the engine
216 and exit. Please have a look at the conf parameter engine-analy‐
217 sis on what reports can be printed
218
219 --unix-socket=<file>
220 Use file as the Suricata unix control socket. Overrides the
221 filename provided in the unix-command section of the configura‐
222 tion file.
223
224 --reject-dev=<device>
225 Use device to send out RST / ICMP error packets with the reject
226 keyword.
227
228 --pcap-buffer-size=<size>
229 Set the size of the PCAP buffer (0 - 2147483647).
230
231 --netmap[=<device>]
232 Enable capture of packet using NETMAP on FreeBSD or Linux. If no
233 device is supplied, the list of devices from the netmap section
234 in the yaml is used.
235
236 --pfring[=<device>]
237 Enable PF_RING packet capture. If no device provided, the de‐
238 vices in the Suricata configuration will be used.
239
240 --pfring-cluster-id <id>
241 Set the PF_RING cluster ID.
242
243 --pfring-cluster-type <type>
244 Set the PF_RING cluster type (cluster_round_robin, clus‐
245 ter_flow).
246
247 -d <divert-port>
248 Run inline using IPFW divert mode.
249
250 --dag <device>
251 Enable packet capture off a DAG card. If capturing off a spe‐
252 cific stream the stream can be select using a device name like
253 “dag0:4”. This option may be provided multiple times read off
254 multiple devices and/or streams.
255
256 --napatech
257 Enable packet capture using the Napatech Streams API.
258
259 --erf-in=<file>
260 Run in offline mode reading the specific ERF file (Endace exten‐
261 sible record format).
262
263 --simulate-ips
264 Simulate IPS mode when running in a non-IPS mode.
265
267 -u Run the unit tests and exit. Requires that Suricata be config‐
268 ured with –enable-unittests.
269
270 -U, --unittest-filter=REGEX
271 With the -U option you can select which of the unit tests you
272 want to run. This option uses REGEX. Example of use: suricata -u
273 -U http
274
275 --list-unittests
276 Lists available unit tests.
277
278 --fatal-unittests
279 Enables fatal failure on a unit test error. Suricata will exit
280 instead of continuing more tests.
281
282 --unittests-coverage
283 Display unit test coverage report.
284
286 Suricata will respond to the following signals:
287
288 SIGUSR2
289 Causes Suricata to perform a live rule reload.
290
291 SIGHUP
292 Causes Suricata to close and re-open all log files. This can be used
293 to re-open log files after they may have been moved away by log ro‐
294 tation utilities.
295
297 /usr/local/etc/suricata/suricata.yaml
298 Default location of the Suricata configuration file.
299
300 /usr/local/var/log/suricata
301 Default Suricata log directory.
302
304 To capture live traffic from interface eno1:
305
306 suricata -i eno1
307
308 To analyze a pcap file and output logs to the CWD:
309
310 suricata -r /path/to/capture.pcap
311
312 To capture using AF_PACKET and override the flow memcap setting from
313 the suricata.yaml:
314
315 suricata --af-packet --set flow.memcap=1gb
316
317 To analyze a pcap file with a custom rule file:
318
319 suricata -r /pcap/to/capture.pcap -S /path/to/custom.rules
320
322 Please visit Suricata’s support page for information about submitting
323 bugs or feature requests.
324
326 • Suricata Home Page
327 https://suricata.io/
328
329 • Suricata Support Page
330 https://suricata.io/community/
331
333 2016-2022, OISF
334
335
336
337
3386.0.9 Nov 28, 2022 SURICATA(1)