NAME

       suricata - Next Generation Intrusion Detection and Prevention Tool

SYNOPSIS

       suricata [OPTIONS] [BPF FILTER]

DESCRIPTION

       suricata  is  a  network  Intrusion Detection System (IDS). It is based on rules (and is fully compatible
       with snort rules) to detect a variety of attacks / probes by searching packet content.

       This engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP,  HTTP,  TLS,  FTP
       and  SMB),  Gzip  Decompression, Fast IP Matching and hardware acceleration on CUDA, OpenCL GPU cards and
       more.

       It supports acquiring packets through AF_PACKET, NFQUEUE, PF_RING, PCAP (live or offline) and more.

OPTIONS

       -c <path>
              Load main configuration file (by default, /etc/suricata/suricata.yaml).

       -T     Test configuration file (use with -c).

       -i <dev or ip>
              Run in PCAP live mode.

       -F <bpf filter file>
              Load BPF filter file.

       -r <path>
              Run in PCAP file/offile mode.

       -q <qid>
              Run in inline NFQUEUE mode.

       -s <path>
              Load signature file in addition to the main configuration file.

       -S <path>
              Load signature file exclusively.

       -l <dir>
              Set log directory (by default /var/log/suricata).

       -D     Run as a background daemon (suricata will fork itself).

       -k [all|none]
              Force checksum cheks (all) or disable it (none).

       -V     Print suricata version.

       -v[v]  Increase default verbosity.

       --list-app-layer-protos
              Print list of supported app layer protocols.

       --list-keywords[=all|csv|<kword>]
              List keywords implemented by the engine.

       --list-runmodes
              List supported runmodes.

       --runmode <runomde_id>
              Specific runmode in which the engine should run. The argument runmode_id should be the id  of  the
              runmode obtained using --list-runmodes.

       --engine-analysis
              Print reports on analysis of different sections in the engine.

       --pidfile <path>
              Write PID to the file.

       --init-errors-fatal
              Enable fatal failure on signature init error.

       --disable-detection
              Disable detection engine.

       --dump-config
              Show the running configuration.

       --build-info
              Display build information.

       --pacp[=<dev>]
              Run in PCAP mode. No dev value selects interfaces from main configuration file.

       --pcap-buffer-size
              Size of PCAP buffer. Values from 0 to 2147483647.

       --af-packet[=<dev>]
              Run in AF_PACKET mode. No dev value selects interfaces from main configuration file.

       --simulate-ips
              Force engine into IPS mode. Useful for QA.

       --user <user>
              Run suricata as this user after init.

       --group <group>
              Run suricata as this gorup after init.

       --unix-socket[=<file>]
              UNIX  socket  to  control  suricata  work  from  suricatasc(1).  The default is /var/run/suricata-
              command.socket.

       --set name=value
              Set configuration variable name to value.

EXAMPLES

       To run the engine with default configuration on interface eth0 with signature  file  "signatiures.rules",
       run the command as:

        % suricata -c suricata.yaml -s signatures.rules -i eth0

SEE ALSO

       suricatasc(1), tcpdump(1), pcap(3).

AUTHOR

       suricata was written by the Open Information Security Foundation.

       This  manual  page  was  written  by  Pierre  Chifflier  <pollux@debian.org>  and Arturo Borrero Gonzalez
       <arturo@debian.org> for the Debian project (and may be used by others).

                                                   10 Oct 2016                                       SURICATA(8)