Suricata User Guide

This is the documentation for Suricata 8.0.0-dev.

1. What is Suricata
- 1.1. About the Open Information Security Foundation
2. Quickstart guide
- 2.1. Installation
- 2.2. Basic setup
- 2.3. Signatures
- 2.4. Running Suricata
- 2.5. Alerting
- 2.6. EVE Json
3. Installation
- 3.1. Source
- 3.2. Binary packages
- 3.3. Advanced Installation
4. Upgrading
- 4.1. General instructions
- 4.2. Upgrading 7.0 to 8.0
- 4.3. Upgrading 6.0 to 7.0
- 4.4. Upgrading 5.0 to 6.0
- 4.5. Upgrading 4.1 to 5.0
5. Security Considerations
- 5.1. Running as a User Other Than Root
- 5.2. Containers
6. Support Status
- 6.1. Levels of Support
- 6.2. Distributions
- 6.3. Architecture Support
7. Command Line Options
- 7.1. Unit Tests
8. Suricata Rules
- 8.1. Rules Format
- 8.2. Meta Keywords
- 8.3. IP Keywords
- 8.4. TCP keywords
- 8.5. UDP keywords
- 8.6. ICMP keywords
- 8.7. Payload Keywords
- 8.8. Changes from PCRE1 to PCRE2
- 8.9. Transformations
- 8.10. Prefiltering Keywords
- 8.11. Flow Keywords
- 8.12. Bypass Keyword
- 8.13. HTTP Keywords
- 8.14. File Keywords
- 8.15. DNS Keywords
- 8.16. SSL/TLS Keywords
- 8.17. SSH Keywords
- 8.18. JA3 Keywords
- 8.19. Modbus Keyword
- 8.20. DCERPC Keywords
- 8.21. DHCP keywords
- 8.22. DNP3 Keywords
- 8.23. ENIP/CIP Keywords
- 8.24. FTP/FTP-DATA Keywords
- 8.25. Kerberos Keywords
- 8.26. SMB Keywords
- 8.27. SNMP keywords
- 8.28. Base64 keywords
- 8.29. SIP Keywords
- 8.30. RFB Keywords
- 8.31. MQTT Keywords
- 8.32. IKE Keywords
- 8.33. HTTP2 Keywords
- 8.34. Quic Keywords
- 8.35. NFS Keywords
- 8.36. SMTP Keywords
- 8.37. Generic App Layer Keywords
- 8.38. Xbits Keyword
- 8.39. Thresholding Keywords
- 8.40. IP Reputation Keyword
- 8.41. IP Addresses Match
- 8.42. Config Rules
- 8.43. Datasets
- 8.44. Lua Scripting for Detection
- 8.45. Differences From Snort
- 8.46. Multiple Buffer Matching
- 8.47. Tag
9. Rule Management
- 9.1. Rule Management with Suricata-Update
- 9.2. Adding Your Own Rules
- 9.3. Rule Reloads
- 9.4. Rules Profiling
10. Making sense out of Alerts
11. Performance
- 11.1. Runmodes
- 11.2. Packet Capture
- 11.3. Tuning Considerations
- 11.4. Hyperscan
- 11.5. High Performance Configuration
- 11.6. Statistics
- 11.7. Ignoring Traffic
- 11.8. Packet Profiling
- 11.9. Rule Profiling
- 11.10. Tcmalloc
- 11.11. Performance Analysis
12. Configuration
- 12.1. Suricata.yaml
- 12.2. Global-Thresholds
- 12.3. Exception Policies
- 12.4. Snort.conf to Suricata.yaml
- 12.5. Multi Tenancy
- 12.6. Dropping Privileges After Startup
- 12.7. Using Landlock LSM
- 12.8. systemd notification
- 12.9. Includes
13. Reputation
- 13.1. IP Reputation
14. Init Scripts
15. Setting up IPS/inline for Linux
- 15.1. Setting up IPS with Netfilter
- 15.2. Setting up IPS at Layer 2
16. Setting up IPS/inline for Windows
17. Output
- 17.1. EVE
- 17.2. Lua Output
- 17.3. Syslog Alerting Compatibility
- 17.4. Custom http logging
- 17.5. Custom tls logging
- 17.6. Log Rotation
18. Lua support
- 18.1. Lua usage in Suricata
- 18.2. Lua functions
19. File Extraction
- 19.1. Architecture
- 19.2. Settings
- 19.3. Output
- 19.4. Rules
- 19.5. MD5
- 19.6. Updating Filestore Configuration
20. Public Data Sets
21. Using Capture Hardware
- 21.1. Endace DAG
- 21.2. Napatech
- 21.3. Myricom
- 21.4. eBPF and XDP
- 21.5. Netmap
- 21.6. AF_XDP
- 21.7. DPDK
22. Interacting via Unix Socket
- 22.1. Introduction
- 22.2. Commands in standard running mode
- 22.3. Commands on the cmd prompt
- 22.4. PCAP processing mode
- 22.5. Build your own client
23. 3rd Party Integration
- 23.1. Symantec SSL Visibility (BlueCoat)
24. Man Pages
- 24.1. Suricata
- 24.2. Suricata Socket Control
- 24.3. Suricata Control
- 24.4. Suricata Control Filestore
25. Acknowledgements
26. Licenses
- 26.1. GNU General Public License
- 26.2. Creative Commons Attribution-NonCommercial 4.0 International Public License
- 26.3. Suricata Source Code
- 26.4. Suricata Documentation
27. Suricata Developer Guide
- 27.1. Working with the Codebase
- 27.2. Suricata Internals
- 27.3. Extending Suricata

Read the Docs v: latest

Versions: latest; suricata-7.0.2; suricata-7.0.1; suricata-7.0.0-rc2; suricata-7.0.0-rc1; suricata-7.0.0-beta1; suricata-7.0.0; suricata-6.0.9; suricata-6.0.8; suricata-6.0.7; suricata-6.0.6; suricata-6.0.5; suricata-6.0.4; suricata-6.0.3; suricata-6.0.2; suricata-6.0.15; suricata-6.0.14; suricata-6.0.13; suricata-6.0.12; suricata-6.0.11; suricata-6.0.10; suricata-6.0.1; suricata-6.0.0-rc1; suricata-6.0.0-beta1; suricata-6.0.0; suricata-5.0.9; suricata-5.0.8; suricata-5.0.7; suricata-5.0.6; suricata-5.0.5; suricata-5.0.4; suricata-5.0.3; suricata-5.0.2; suricata-5.0.10; suricata-5.0.1; suricata-5.0.0-rc1; suricata-5.0.0-beta1; suricata-5.0.0; suricata-4.1.9; suricata-4.1.8; suricata-4.1.7; suricata-4.1.6; suricata-4.1.5; suricata-4.1.4; suricata-4.1.3; suricata-4.1.2; suricata-4.1.10; suricata-4.1.1; suricata-4.1.0-rc2; suricata-4.1.0-rc1; suricata-4.1.0-beta1; suricata-4.1.0; suricata-4.0.7; suricata-4.0.6; suricata-4.0.5; suricata-4.0.4; suricata-4.0.3; suricata-4.0.2; suricata-4.0.1; suricata-4.0.0-rc2; suricata-4.0.0-rc1; suricata-4.0.0-beta1; suricata-4.0.0; suricata-3.2rc1; suricata-3.2beta1; suricata-3.2.5; suricata-3.2.4; suricata-3.2.3; suricata-3.2.2; suricata-3.2.1; suricata-3.2; master-6.0.x

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds