NAME

       suricata - Next Generation Intrusion Detection and Prevention Tool

SYNOPSIS

       suricata [OPTIONS] [BPF FILTER]

DESCRIPTION

       suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully
       compatible with snort rules) to detect a variety of attacks / probes by  searching  packet
       content.

       This  engine  supports  Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP,
       HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and hardware acceleration on
       CUDA, OpenCL GPU cards and more.

       It  supports acquiring packets through AF_PACKET, NFQUEUE, PF_RING, PCAP (live or offline)
       and more.

OPTIONS

       -c <path>
              Load main configuration file (by default, /etc/suricata/suricata.yaml).

       -T     Test configuration file (use with -c).

       -i <dev or ip>
              Run in PCAP live mode.

       -F <bpf filter file>
              Load BPF filter file.

       -r <path>
              Run in PCAP file/offile mode.

       -q <qid>
              Run in inline NFQUEUE mode.

       -s <path>
              Load signature file in addition to the main configuration file.

       -S <path>
              Load signature file exclusively.

       -l <dir>
              Set log directory (by default /var/log/suricata).

       -D     Run as a background daemon (suricata will fork itself).

       -k [all|none]
              Force checksum cheks (all) or disable it (none).

       -V     Print suricata version.

       -v[v]  Increase default verbosity.

       --list-app-layer-protos
              Print list of supported app layer protocols.

       --list-keywords[=all|csv|<kword>]
              List keywords implemented by the engine.

       --list-runmodes
              List supported runmodes.

       --runmode <runomde_id>
              Specific runmode in which the engine should run. The argument runmode_id should  be
              the id of the runmode obtained using --list-runmodes.

       --engine-analysis
              Print reports on analysis of different sections in the engine.

       --pidfile <path>
              Write PID to the file.

       --init-errors-fatal
              Enable fatal failure on signature init error.

       --disable-detection
              Disable detection engine.

       --dump-config
              Show the running configuration.

       --build-info
              Display build information.

       --pacp[=<dev>]
              Run in PCAP mode. No dev value selects interfaces from main configuration file.

       --pcap-buffer-size
              Size of PCAP buffer. Values from 0 to 2147483647.

       --af-packet[=<dev>]
              Run  in  AF_PACKET  mode.  No  dev value selects interfaces from main configuration
              file.

       --simulate-ips
              Force engine into IPS mode. Useful for QA.

       --user <user>
              Run suricata as this user after init.

       --group <group>
              Run suricata as this gorup after init.

       --unix-socket[=<file>]
              UNIX  socket  to  control  suricata  work  from  suricatasc(1).   The  default   is
              /var/run/suricata-command.socket.

       --set name=value
              Set configuration variable name to value.

EXAMPLES

       To  run  the  engine  with  default  configuration  on  interface eth0 with signature file
       "signatiures.rules", run the command as:

        % suricata -c suricata.yaml -s signatures.rules -i eth0

SEE ALSO

       suricatasc(1), tcpdump(1), pcap(3).

AUTHOR

       suricata was written by the Open Information Security Foundation.

       This manual page was written by Pierre Chifflier <pollux@debian.org>  and  Arturo  Borrero
       Gonzalez <arturo@debian.org> for the Debian project (and may be used by others).

                                           10 Oct 2016                                SURICATA(8)