Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SURICATA(1)			   Suricata			   SURICATA(1)

       suricata	- Suricata

       suricata	[OPTIONS] [BPF FILTER]

       Suricata	 is  a	high performance Network IDS, IPS and Network Security
       Monitoring engine. Open Source and owned	by a community run  non-profit
       foundation, the Open Information	Security Foundation (OISF).

       -h     Display a	brief usage overview.

       -V     Displays the version of Suricata.

       -c <path>
	      Path to configuration file.

       -T     Test configuration.

       -v     Increase	the  verbosity	of the Suricata	application logging by
	      increasing the log level from the	default. This  option  can  be
	      passed multiple times to further increase	the verbosity.

	      o	-v: INFO

	      o	-vv: PERF

	      o	-vvv: CONFIG

	      o	-vvvv: DEBUG

	      This  option will	not decrease the log level set in the configu-
	      ration file if it	is already more	verbose	 than  the  level  re-
	      quested with this	option.

       -r <path>
	      Run  in  pcap offline mode (replay mode) reading files from pcap
	      file. If <path> specifies	a directory, all files in that	direc-
	      tory  will  be  processed	 in order of modified time maintaining
	      flow state between files.

	      Used with	the -r option to indicate that the  mode  should  stay
	      alive  until interrupted.	This is	useful with directories	to add
	      new files	and not	reset flow state between files.

	      Used with	the -r option to indicate that the mode	should	delete
	      pcap  files  after they have been	processed. This	is useful with
	      pcap-file-continuous to continuously feed	files to  a  directory
	      and  have	 them cleaned up when done. If this option is not set,
	      pcap files will not be deleted after processing.

       -i <interface>
	      After the	-i option you can enter	the interface card  you	 would
	      like  to use to sniff packets from.  This	option will try	to use
	      the best capture method available. Can be	used several times  to
	      sniff packets from several interfaces.

	      Run  in  PCAP mode. If no	device is provided the interfaces pro-
	      vided in the pcap	section	of  the	 configuration	file  will  be

	      Enable  capture of packet	using AF_PACKET	on Linux. If no	device
	      is supplied, the list of devices from the	af-packet  section  in
	      the yaml is used.

       -q <queue id>
	      Run  inline  of  the  NFQUEUE queue ID provided. May be provided
	      multiple times.

       -s <filename.rules>
	      With the -s option you can set a	file  with  signatures,	 which
	      will be loaded together with the rules set in the	yaml.

       -S <filename.rules>
	      With  the	 -S  option  you can set a file	with signatures, which
	      will be loaded exclusively, regardless of	the rules set  in  the

       -l <directory>
	      With the -l option you can set the default log directory.	If you
	      already have the default-log-dir set in yaml,  it	 will  not  be
	      used  by	Suricata if you	use the	-l option. It will use the log
	      dir that is set with the -l option. If you do not	set  a	direc-
	      tory with	the -l option, Suricata	will use the directory that is
	      set in yaml.

       -D     Normally if you run Suricata on your console, it keeps your con-
	      sole  occupied.  You can not use it for other purposes, and when
	      you close	the window, Suricata stops running.  If	you run	 Suri-
	      cata  as daemon (using the -D option), it	runs at	the background
	      and you will be able to use the console for other	tasks  without
	      disturbing the engine running.

       --runmode <runmode>
	      With the --runmode option	you can	set the	runmode	that you would
	      like to use. This	command	line option can	override the yaml run-
	      mode option.

	      Runmodes are: workers, autofp and	single.

	      For  more	 information  about  runmodes see Runmodes in the user

       -F <bpf filter file>
	      Use BPF filter from file.

       -k [all|none]
	      Force (all) the checksum check or	disable	 (none)	 all  checksum

	      Set  the	process	 user after initialization. Overrides the user
	      provided in the run-as section of	the configuration file.

	      Set the process group to group after  initialization.  Overrides
	      the  group  provided  in the run-as section of the configuration

       --pidfile <file>
	      Write the	process	ID to file. Overrides the pid-file  option  in
	      the  configuration  file	and forces the file to be written when
	      not running as a daemon.

	      Exit with	a failure when errors are encountered  loading	signa-

	      Disable the detection engine.

	      Dump the configuration loaded from the configuration file	to the
	      terminal and exit.

	      Display the build	information the	Suricata was built with.

	      List all supported application layer protocols.

	      List all supported rule keywords.

	      List all supported run modes.

       --set <key>=<value>
	      Set a configuration value. Useful	for overriding basic  configu-
	      ration  parameters  in the configuration.	For example, to	change
	      the default log directory:

		 --set default-log-dir=/var/tmp

	      Print reports on analysis	of different sections  in  the	engine
	      and exit.	Please have a look at the conf parameter engine-analy-
	      sis on what reports can be printed

	      Use file as the Suricata	unix  control  socket.	Overrides  the
	      filename	provided in the	unix-command section of	the configura-
	      tion file.

	      Set the size of the PCAP buffer (0 - 2147483647).

	      Enable capture of	packet using NETMAP on FreeBSD or Linux. If no
	      device  is supplied, the list of devices from the	netmap section
	      in the yaml is used.

	      Enable PF_RING packet capture. If	no device  provided,  the  de-
	      vices in the Suricata configuration will be used.

       --pfring-cluster-id <id>
	      Set the PF_RING cluster ID.

       --pfring-cluster-type <type>
	      Set   the	  PF_RING  cluster  type  (cluster_round_robin,	 clus-

       -d <divert-port>
	      Run inline using IPFW divert mode.

       --dag <device>
	      Enable packet capture off	a DAG card. If capturing  off  a  spe-
	      cific  stream  the stream	can be select using a device name like
	      "dag0:4".	This option may	be provided multiple  times  read  off
	      multiple devices and/or streams.

	      Enable packet capture using the Napatech Streams API.

	      Run in offline mode reading the specific ERF file	(Endace	exten-
	      sible record format).

	      Simulate IPS mode	when running in	a non-IPS mode.

       -u     Run the unit tests and exit. Requires that Suricata be  compiled
	      with --enable-unittests.

       -U, --unittest-filter=REGEX
	      With  the	 -U  option you	can select which of the	unit tests you
	      want to run. This	option uses REGEX. Example of use: suricata -u
	      -U http

	      List all unit tests.

	      Enables  fatal  failure on a unit	test error. Suricata will exit
	      instead of continuing more tests.

	      Display unit test	coverage report.

       Suricata	will respond to	the following signals:

	      Causes Suricata to perform a live	rule reload.

       SIGHUP Causes Suricata to close and re-open all log files. This can  be
	      used to re-open log files	after they may have been moved away by
	      log rotation utilities.

	      Default location of the Suricata configuration file.

	      Default Suricata log directory.

       Please visit Suricata's support page for	information  about  submitting
       bugs or feature requests.

       o Suricata Home Page

       o Suricata Support Page

       2016-2019, OISF

5.0.2				 Feb 13, 2020			   SURICATA(1)


Want to link to this manual page? Use this URL:

home | help