FreeBSD Manual Pages
SURICATA(1) Suricata SURICATA(1) NAME suricata - Suricata SYNOPSIS suricata [OPTIONS] [BPF FILTER] DESCRIPTION suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). suricata can be used to analyze live traffic and pcap files. It can generate alerts based on rules. suricata will generate traffic logs. When used with live traffic suricata can be passive or active. Active modes are: inline in a L2 bridge setup, inline with L3 integration with host firewall (NFQ, IPFW, WinDivert), or out of band using active re- sponses. OPTIONS -h Display a brief usage overview. -V Displays the version of Suricata. -c <path> Path to configuration file. --include <path> Additional configuration files to include. Multiple additional configuration files can be provided and will be included in the order specified on the command line. These additional configu- ration files are loaded as if they existed at the end of the main configuration file. Example including one additional file: --include /etc/suricata/other.yaml Example including more than one additional file: --include /etc/suricata/other.yaml --include /etc/suricata/extra.yaml -T Test configuration. -v Increase the verbosity of the Suricata application logging by increasing the log level from the default. This option can be passed multiple times to further increase the verbosity. • -v: INFO • -vv: PERF • -vvv: CONFIG • -vvvv: DEBUG This option will not decrease the log level set in the configu- ration file if it is already more verbose than the level re- quested with this option. -r <path> Run in pcap offline mode (replay mode) reading files from pcap file. If <path> specifies a directory, all files in that direc- tory will be processed in order of modified time maintaining flow state between files. --pcap-file-continuous Used with the -r option to indicate that the mode should stay alive until interrupted. This is useful with directories to add new files and not reset flow state between files. --pcap-file-recursive Used with the -r option when the path provided is a directory. This option enables recursive traversal into subdirectories to a maximum depth of 255. This option cannot be combined with --pcap-file-continuous. Symlinks are ignored. --pcap-file-delete Used with the -r option to indicate that the mode should delete pcap files after they have been processed. This is useful with pcap-file-continuous to continuously feed files to a directory and have them cleaned up when done. If this option is not set, pcap files will not be deleted after processing. --pcap-file-buffer-size <value> Set read buffer size using setvbuf to speed up pcap reading. Valid values are 4 KiB to 64 MiB. Default value is 128 KiB. Sup- ported on Linux only. -i <interface> After the -i option you can enter the interface card you would like to use to sniff packets from. This option will try to use the best capture method available. Can be used several times to sniff packets from several interfaces. --pcap[=<device>] Run in PCAP mode. If no device is provided the interfaces pro- vided in the pcap section of the configuration file will be used. --af-packet[=<device>] Enable capture of packet using AF_PACKET on Linux. If no device is supplied, the list of devices from the af-packet section in the yaml is used. --af-xdp[=<device>] Enable capture of packet using AF_XDP on Linux. If no device is supplied, the list of devices from the af-xdp section in the yaml is used. -q <queue id> Run inline of the NFQUEUE queue ID provided. May be provided multiple times. -s <filename.rules> With the -s option you can set a file with signatures, which will be loaded together with the rules set in the yaml. It is possible to use globbing when specifying rules files. For example, -s '/path/to/rules/*.rules' -S <filename.rules> With the -S option you can set a file with signatures, which will be loaded exclusively, regardless of the rules set in the yaml. It is possible to use globbing when specifying rules files. For example, -S '/path/to/rules/*.rules' -l <directory> With the -l option you can set the default log directory. If you already have the default-log-dir set in yaml, it will not be used by Suricata if you use the -l option. It will use the log dir that is set with the -l option. If you do not set a direc- tory with the -l option, Suricata will use the directory that is set in yaml. -D Normally if you run Suricata on your console, it keeps your con- sole occupied. You can not use it for other purposes, and when you close the window, Suricata stops running. If you run Suri- cata as daemon (using the -D option), it runs at the background and you will be able to use the console for other tasks without disturbing the engine running. --runmode <runmode> With the --runmode option you can set the runmode that you would like to use. This command line option can override the yaml run- mode option. Runmodes are: workers, autofp and single. For more information about runmodes see Runmodes in the user guide. -F <bpf filter file> Use BPF filter from file. -k [all|none] Force (all) the checksum check or disable (none) all checksum checks. --user=<user> Set the process user after initialization. Overrides the user provided in the run-as section of the configuration file. --group=<group> Set the process group to group after initialization. Overrides the group provided in the run-as section of the configuration file. --pidfile <file> Write the process ID to file. Overrides the pid-file option in the configuration file and forces the file to be written when not running as a daemon. --init-errors-fatal Exit with a failure when errors are encountered loading signa- tures. --strict-rule-keywords[=all|<keyword>|<keywords(csv)] Applies to: classtype, reference and app-layer-event. By default missing reference or classtype values are warnings and not errors. Additionally, loading outdated app-layer-event events are also not treated as errors, but as warnings instead. If this option is enabled these warnings are considered errors. If no value, or the value 'all', is specified, the option ap- plies to all of the keywords above. Alternatively, a comma sepa- rated list can be supplied with the keyword names it should ap- ply to. --disable-detection Disable the detection engine. --disable-hashing Disable support for hash algorithms such as md5, sha1 and sha256. By default hashing is enabled. Disabling hashing will also dis- able some Suricata features such as the filestore, ja3, and rule keywords that use hash algorithms. --dump-config Dump the configuration loaded from the configuration file to the terminal and exit. --dump-features Dump the features provided by Suricata modules and exit. Fea- tures list (a subset of) the configuration values and are in- tended to assist with comparing provided features with those re- quired by one or more rules. --build-info Display the build information the Suricata was built with. --list-app-layer-protos List all supported application layer protocols. --list-keywords=[all|csv|<kword>] List all supported rule keywords. --list-runmodes List all supported run modes. --set <key>=<value> Set a configuration value. Useful for overriding basic configu- ration parameters. For example, to change the default log direc- tory: --set default-log-dir=/var/tmp This option cannot be used to add new entries to a list in the configuration file, such as a new output. It can only be used to modify a value in a list that already exists. For example, to disable the eve-log in the default configuration file: --set outputs.1.eve-log.enabled=no Also note that the index values may change as the suricata.yaml is updated. See the output of --dump-config for existing values that could be modified with their index. --engine-analysis Print reports on analysis of different sections in the engine and exit. Please have a look at the conf parameter engine-analy- sis on what reports can be printed --unix-socket=<file> Use file as the Suricata unix control socket. Overrides the filename provided in the unix-command section of the configura- tion file. --reject-dev=<device> Use device to send out RST / ICMP error packets with the reject keyword. --pcap-buffer-size=<size> Set the size of the PCAP buffer (0 - 2147483647). --netmap[=<device>] Enable capture of packet using NETMAP on FreeBSD or Linux. If no device is supplied, the list of devices from the netmap section in the yaml is used. --pfring[=<device>] Enable PF_RING packet capture. If no device provided, the de- vices in the Suricata configuration will be used. --pfring-cluster-id <id> Set the PF_RING cluster ID. --pfring-cluster-type <type> Set the PF_RING cluster type (cluster_round_robin, clus- ter_flow). -d <divert-port> Run inline using IPFW divert mode. --dag <device> Enable packet capture off a DAG card. If capturing off a spe- cific stream the stream can be select using a device name like "dag0:4". This option may be provided multiple times read off multiple devices and/or streams. --napatech Enable packet capture using the Napatech Streams API. --erf-in=<file> Run in offline mode reading the specific ERF file (Endace exten- sible record format). --simulate-ips Simulate IPS mode when running in a non-IPS mode. OPTIONS FOR DEVELOPERS -u Run the unit tests and exit. Requires that Suricata be config- ured with --enable-unittests. -U, --unittest-filter=REGEX With the -U option you can select which of the unit tests you want to run. This option uses REGEX. Example of use: suricata -u -U http --list-unittests Lists available unit tests. --fatal-unittests Enables fatal failure on a unit test error. Suricata will exit instead of continuing more tests. --unittests-coverage Display unit test coverage report. SIGNALS Suricata will respond to the following signals: SIGUSR2 Causes Suricata to perform a live rule reload. SIGHUP Causes Suricata to close and re-open all log files. This can be used to re-open log files after they may have been moved away by log ro- tation utilities. FILES AND DIRECTORIES /usr/local/etc/suricata/suricata.yaml Default location of the Suricata configuration file. /usr/local/var/log/suricata Default Suricata log directory. EXAMPLES To capture live traffic from interface eno1: suricata -i eno1 To analyze a pcap file and output logs to the CWD: suricata -r /path/to/capture.pcap To capture using AF_PACKET and override the flow memcap setting from the suricata.yaml: suricata --af-packet --set flow.memcap=1gb To analyze a pcap file with a custom rule file: suricata -r /pcap/to/capture.pcap -S /path/to/custom.rules BUGS Please visit Suricata's support page for information about submitting bugs or feature requests. NOTES • Suricata Home Page https://suricata.io/ • Suricata Support Page https://suricata.io/support/ COPYRIGHT 2016-2025, OISF 8.0.2 2025-11-05 SURICATA(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPTIONS FOR DEVELOPERS | SIGNALS | FILES AND DIRECTORIES | EXAMPLES | BUGS | NOTES | COPYRIGHT
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=suricata&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>