1SURICATA(1)                        Suricata                        SURICATA(1)
2
3
4

NAME

6       suricata - Suricata
7

SYNOPSIS

9       suricata [OPTIONS] [BPF FILTER]
10

DESCRIPTION

12       suricata  is  a  high performance Network IDS, IPS and Network Security
13       Monitoring engine. Open Source and owned by a community run  non-profit
14       foundation, the Open Information Security Foundation (OISF).
15
16       suricata  can  be  used  to analyze live traffic and pcap files. It can
17       generate alerts based on rules. suricata will generate traffic logs.
18
19       When used with live traffic suricata can be passive or  active.  Active
20       modes are: inline in a L2 bridge setup, inline with L3 integration with
21       host filewall (NFQ, IPFW, WinDivert), or out of band using  active  re‐
22       sponses.
23

OPTIONS

25       -h     Display a brief usage overview.
26
27       -V     Displays the version of Suricata.
28
29       -c <path>
30              Path to configuration file.
31
32       -T     Test configuration.
33
34       -v     Increase  the  verbosity  of the Suricata application logging by
35              increasing the log level from the default. This  option  can  be
36              passed multiple times to further increase the verbosity.
37
38              • -v: INFO
39
40              • -vv: PERF
41
42              • -vvv: CONFIG
43
44              • -vvvv: DEBUG
45
46              This  option will not decrease the log level set in the configu‐
47              ration file if it is already more verbose  than  the  level  re‐
48              quested with this option.
49
50       -r <path>
51              Run  in  pcap offline mode (replay mode) reading files from pcap
52              file. If <path> specifies a directory, all files in that  direc‐
53              tory  will  be  processed  in order of modified time maintaining
54              flow state between files.
55
56       --pcap-file-continuous
57              Used with the -r option to indicate that the  mode  should  stay
58              alive  until interrupted. This is useful with directories to add
59              new files and not reset flow state between files.
60
61       --pcap-file-recursive
62              Used with the -r option when the path provided is  a  directory.
63              This option enables recursive traversal into subdirectories to a
64              maximum depth of 255.   This  option  cannot  be  combined  with
65              –pcap-file-continuous.  Symlinks are ignored.
66
67       --pcap-file-delete
68              Used  with the -r option to indicate that the mode should delete
69              pcap files after they have been processed. This is  useful  with
70              pcap-file-continuous  to  continuously feed files to a directory
71              and have them cleaned up when done. If this option is  not  set,
72              pcap files will not be deleted after processing.
73
74       -i <interface>
75              After  the  -i option you can enter the interface card you would
76              like to use to sniff packets from.  This option will try to  use
77              the  best capture method available. Can be used several times to
78              sniff packets from several interfaces.
79
80       --pcap[=<device>]
81              Run in PCAP mode. If no device is provided the  interfaces  pro‐
82              vided  in  the  pcap  section  of the configuration file will be
83              used.
84
85       --af-packet[=<device>]
86              Enable capture of packet using AF_PACKET on Linux. If no  device
87              is  supplied,  the list of devices from the af-packet section in
88              the yaml is used.
89
90       -q <queue id>
91              Run inline of the NFQUEUE queue ID  provided.  May  be  provided
92              multiple times.
93
94       -s <filename.rules>
95              With  the  -s  option  you can set a file with signatures, which
96              will be loaded together with the rules set in the yaml.
97
98       -S <filename.rules>
99              With the -S option you can set a  file  with  signatures,  which
100              will  be  loaded exclusively, regardless of the rules set in the
101              yaml.
102
103       -l <directory>
104              With the -l option you can set the default log directory. If you
105              already  have  the  default-log-dir  set in yaml, it will not be
106              used by Suricata if you use the -l option. It will use  the  log
107              dir  that  is set with the -l option. If you do not set a direc‐
108              tory with the -l option, Suricata will use the directory that is
109              set in yaml.
110
111       -D     Normally if you run Suricata on your console, it keeps your con‐
112              sole occupied. You can not use it for other purposes,  and  when
113              you  close the window, Suricata stops running.  If you run Suri‐
114              cata as daemon (using the -D option), it runs at the  background
115              and  you will be able to use the console for other tasks without
116              disturbing the engine running.
117
118       --runmode <runmode>
119              With the –runmode option you can set the runmode that you  would
120              like to use. This command line option can override the yaml run‐
121              mode option.
122
123              Runmodes are: workers, autofp and single.
124
125              For more information about runmodes see  Runmodes  in  the  user
126              guide.
127
128       -F <bpf filter file>
129              Use BPF filter from file.
130
131       -k [all|none]
132              Force  (all)  the  checksum check or disable (none) all checksum
133              checks.
134
135       --user=<user>
136              Set the process user after initialization.  Overrides  the  user
137              provided in the run-as section of the configuration file.
138
139       --group=<group>
140              Set  the  process group to group after initialization. Overrides
141              the group provided in the run-as section  of  the  configuration
142              file.
143
144       --pidfile <file>
145              Write  the  process ID to file. Overrides the pid-file option in
146              the configuration file and forces the file to  be  written  when
147              not running as a daemon.
148
149       --init-errors-fatal
150              Exit  with  a failure when errors are encountered loading signa‐
151              tures.
152
153       --strict-rule-keywords[=all|<keyword>|<keywords(csv)]
154              Applies to: classtype, reference and app-layer-event.
155
156              By default missing reference or classtype  values  are  warnings
157              and  not  errors. Additionally, loading outdated app-layer-event
158              events are also not treated as errors, but as warnings instead.
159
160              If this option is enabled these warnings are considered errors.
161
162              If no value, or the value ‘all’, is specified,  the  option  ap‐
163              plies to all of the keywords above. Alternatively, a comma sepa‐
164              rated list can be supplied with the keyword names it should  ap‐
165              ply to.
166
167       --disable-detection
168              Disable the detection engine.
169
170       --dump-config
171              Dump the configuration loaded from the configuration file to the
172              terminal and exit.
173
174       --dump-features
175              Dump the features provided by Suricata modules  and  exit.  Fea‐
176              tures  list  (a  subset of) the configuration values and are in‐
177              tended to assist with comparing provided features with those re‐
178              quired by one or more rules.
179
180       --build-info
181              Display the build information the Suricata was built with.
182
183       --list-app-layer-protos
184              List all supported application layer protocols.
185
186       --list-keywords=[all|csv|<kword>]
187              List all supported rule keywords.
188
189       --list-runmodes
190              List all supported run modes.
191
192       --set <key>=<value>
193              Set  a configuration value. Useful for overriding basic configu‐
194              ration parameters. For example, to change the default log direc‐
195              tory:
196
197                 --set default-log-dir=/var/tmp
198
199              This  option  cannot be used to add new entries to a list in the
200              configuration file, such as a new output. It can only be used to
201              modify a value in a list that already exists.
202
203              For example, to disable the eve-log in the default configuration
204              file:
205
206                 --set outputs.1.eve-log.enabled=no
207
208              Also note that the index values may change as the  suricata.yaml
209              is updated.
210
211              See  the  output of --dump-config for existing values that could
212              be modified with their index.
213
214       --engine-analysis
215              Print reports on analysis of different sections  in  the  engine
216              and exit. Please have a look at the conf parameter engine-analy‐
217              sis on what reports can be printed
218
219       --unix-socket=<file>
220              Use file as the Suricata  unix  control  socket.  Overrides  the
221              filename  provided in the unix-command section of the configura‐
222              tion file.
223
224       --reject-dev=<device>
225              Use device to send out RST / ICMP error packets with the  reject
226              keyword.
227
228       --pcap-buffer-size=<size>
229              Set the size of the PCAP buffer (0 - 2147483647).
230
231       --netmap[=<device>]
232              Enable capture of packet using NETMAP on FreeBSD or Linux. If no
233              device is supplied, the list of devices from the netmap  section
234              in the yaml is used.
235
236       --pfring[=<device>]
237              Enable  PF_RING  packet  capture. If no device provided, the de‐
238              vices in the Suricata configuration will be used.
239
240       --pfring-cluster-id <id>
241              Set the PF_RING cluster ID.
242
243       --pfring-cluster-type <type>
244              Set  the  PF_RING  cluster  type   (cluster_round_robin,   clus‐
245              ter_flow).
246
247       -d <divert-port>
248              Run inline using IPFW divert mode.
249
250       --dag <device>
251              Enable  packet  capture  off a DAG card. If capturing off a spe‐
252              cific stream the stream can be select using a device  name  like
253              “dag0:4”.  This  option  may be provided multiple times read off
254              multiple devices and/or streams.
255
256       --napatech
257              Enable packet capture using the Napatech Streams API.
258
259       --erf-in=<file>
260              Run in offline mode reading the specific ERF file (Endace exten‐
261              sible record format).
262
263       --simulate-ips
264              Simulate IPS mode when running in a non-IPS mode.
265

OPTIONS FOR DEVELOPERS

267       -u     Run  the  unit tests and exit. Requires that Suricata be config‐
268              ured with –enable-unittests.
269
270       -U, --unittest-filter=REGEX
271              With the -U option you can select which of the  unit  tests  you
272              want to run. This option uses REGEX. Example of use: suricata -u
273              -U http
274
275       --list-unittests
276              Lists available unit tests.
277
278       --fatal-unittests
279              Enables fatal failure on a unit test error. Suricata  will  exit
280              instead of continuing more tests.
281
282       --unittests-coverage
283              Display unit test coverage report.
284

SIGNALS

286       Suricata will respond to the following signals:
287
288       SIGUSR2
289          Causes Suricata to perform a live rule reload.
290
291       SIGHUP
292          Causes Suricata to close and re-open all log files. This can be used
293          to re-open log files after they may have been moved away by log  ro‐
294          tation utilities.
295

FILES AND DIRECTORIES

297       /usr/local/etc/suricata/suricata.yaml
298              Default location of the Suricata configuration file.
299
300       /usr/local/var/log/suricata
301              Default Suricata log directory.
302

EXAMPLES

304       To capture live traffic from interface eno1:
305
306          suricata -i eno1
307
308       To analyze a pcap file and output logs to the CWD:
309
310          suricata -r /path/to/capture.pcap
311
312       To  capture  using  AF_PACKET and override the flow memcap setting from
313       the suricata.yaml:
314
315          suricata --af-packet --set flow.memcap=1gb
316
317       To analyze a pcap file with a custom rule file:
318
319          suricata -r /pcap/to/capture.pcap -S /path/to/custom.rules
320

BUGS

322       Please visit Suricata’s support page for information  about  submitting
323       bugs or feature requests.
324

NOTES

326       • Suricata Home Page
327            https://suricata.io/
328
329       • Suricata Support Page
330            https://suricata.io/community/
331
333       2016-2022, OISF
334
335
336
337
3386.0.9                            Nov 28, 2022                      SURICATA(1)
Impressum