LinuxCommandLibrary

suricata

TLDR

Start in IDS mode on an interface

$ suricata -c /etc/suricata/suricata.yaml -i [eth0]
copy
Analyze a pcap file
$ suricata -c /etc/suricata/suricata.yaml -r [capture.pcap]
copy
Run in IPS mode with NFQUEUE
$ suricata -c /etc/suricata/suricata.yaml -q [0]
copy
Test configuration file
$ suricata -c /etc/suricata/suricata.yaml -T
copy
Run as daemon
$ suricata -c /etc/suricata/suricata.yaml -i [eth0] -D
copy
Set custom log directory
$ suricata -c /etc/suricata/suricata.yaml -i [eth0] -l [/var/log/suricata]
copy
Display version
$ suricata -V
copy

SYNOPSIS

suricata [options]

DESCRIPTION

suricata is a high-performance Network IDS, IPS, and Network Security Monitoring engine. It inspects network traffic using signature-based detection, protocol analysis, and anomaly detection to identify threats and security events.
Suricata can operate in three modes: IDS (passive monitoring), IPS (inline blocking using NFQUEUE or netfilter), and network security monitoring (logging and metadata extraction). It supports multiple capture methods including AFPACKET, PFRING, NETMAP, and standard pcap.
The engine uses multi-threading for high-performance packet processing and supports Lua scripting for custom detection logic. It is compatible with Snort rules and can process the Emerging Threats ruleset.
Output formats include EVE JSON for SIEM integration, fast log, unified2, and various protocol-specific logs.

PARAMETERS

-c file

Path to configuration file.
-T
Test configuration and exit.
-i interface
Network interface for packet capture.
-r file
Read packets from pcap file (offline mode).
-q queue
Run inline using NFQUEUE queue ID.
-D
Run as daemon in background.
-l dir
Set default log directory.
-s file
Load additional signature file.
-S file
Load signatures exclusively from file.
-v
Increase verbosity (can be used multiple times).
-V
Display version information.
--user user
Run as specified user after initialization.
--group group
Run as specified group after initialization.
--pidfile file
Write process ID to file.
--runmode mode
Set runmode: workers, autofp, or single.
--af-packet interface
Enable AF_PACKET capture.
--netmap interface
Enable NETMAP capture.
--pfring interface
Enable PF_RING capture.
-F file
Use BPF filter from file.
-k mode
Checksum check: all, none, or auto.

CAVEATS

Requires root or CAPNETRAW capability for live capture. High traffic environments need tuned configuration for optimal performance. IPS mode requires proper netfilter/iptables configuration. Rule updates should be tested before production deployment.

HISTORY

Suricata was developed by the Open Information Security Foundation (OISF) starting in 2009, with the first stable release in 2010. It was created as a modern, multi-threaded alternative to Snort, designed to take advantage of modern multi-core processors. The project is funded by the US Department of Homeland Security and other sponsors.

SEE ALSO

snort(1), tcpdump(1), zeek(1), nftables(8)

Copied to clipboard