Suricata User Guide

This is the documentation for Suricata 8.0.0-rc1-dev.

• 1. What is Suricata
  • 1.1. About the Open Information Security Foundation
• 2. Quickstart guide
  • 2.1. Installation
  • 2.2. Basic setup
  • 2.3. Signatures
  • 2.4. Running Suricata
  • 2.5. Alerting
  • 2.6. EVE Json
• 3. Installation
  • 3.1. Source
  • 3.2. Binary packages
  • 3.3. Advanced Installation
• 4. Upgrading
  • 4.1. General instructions
  • 4.2. Upgrading 7.0 to 8.0
  • 4.3. Upgrading 6.0 to 7.0
  • 4.4. Upgrading 5.0 to 6.0
  • 4.5. Upgrading 4.1 to 5.0
• 5. Security Considerations
  • 5.1. Running as a User Other Than Root
  • 5.2. Containers
• 6. Support Status
  • 6.1. Levels of Support
  • 6.2. Distributions
  • 6.3. Architecture Support
• 7. Command Line Options
  • 7.1. Unit Tests
• 8. Suricata Rules
  • 8.1. Rules Format
  • 8.2. Meta Keywords
  • 8.3. IP Keywords
  • 8.4. TCP keywords
  • 8.5. UDP keywords
  • 8.6. ICMP keywords
  • 8.7. Payload Keywords
  • 8.8. Integer Keywords
  • 8.9. Transformations
  • 8.10. Prefiltering Keywords
  • 8.11. Flow Keywords
  • 8.12. Bypass Keyword
  • 8.13. HTTP Keywords
  • 8.14. File Keywords
  • 8.15. DNS Keywords
  • 8.16. SSL/TLS Keywords
  • 8.17. SSH Keywords
  • 8.18. JA3/JA4 Keywords
  • 8.19. Modbus Keyword
  • 8.20. DCERPC Keywords
  • 8.21. DHCP keywords
  • 8.22. DNP3 Keywords
  • 8.23. ENIP/CIP Keywords
  • 8.24. FTP/FTP-DATA Keywords
  • 8.25. Kerberos Keywords
  • 8.26. SMB Keywords
  • 8.27. SNMP keywords
  • 8.28. Base64 keywords
  • 8.29. SIP Keywords
  • 8.30. SDP Keywords
  • 8.31. RFB Keywords
  • 8.32. MQTT Keywords
  • 8.33. IKE Keywords
  • 8.34. HTTP2 Keywords
  • 8.35. Quic Keywords
  • 8.36. NFS Keywords
  • 8.37. SMTP Keywords
  • 8.38. WebSocket Keywords
  • 8.39. Generic App Layer Keywords
  • 8.40. Generic Decode Layer Keywords
  • 8.41. Xbits Keyword
  • 8.42. Alert Keywords
  • 8.43. Thresholding Keywords
  • 8.44. IP Reputation Keyword
  • 8.45. IP Addresses Match
  • 8.46. Config Rules
  • 8.47. Datasets
  • 8.48. Lua Scripting for Detection
  • 8.49. Differences From Snort
  • 8.50. Multiple Buffer Matching
  • 8.51. Tag
  • 8.52. VLAN Keywords
  • 8.53. LDAP Keywords
  • 8.54. Rule Types and Categorization
  • 8.55. Email Keywords
• 9. Rule Management
  • 9.1. Rule Management with Suricata-Update
  • 9.2. Adding Your Own Rules
  • 9.3. Rule Reloads
  • 9.4. Rules Profiling
• 10. Making sense out of Alerts
• 11. Performance
  • 11.1. Runmodes
  • 11.2. Packet Capture
  • 11.3. Tuning Considerations
  • 11.4. Hyperscan
  • 11.5. High Performance Configuration
  • 11.6. Statistics
  • 11.7. Ignoring Traffic
  • 11.8. Packet Profiling
  • 11.9. Rule Profiling
  • 11.10. Tcmalloc
  • 11.11. Performance Analysis
• 12. Configuration
  • 12.1. Suricata.yaml
  • 12.2. Global-Thresholds
  • 12.3. Exception Policies
  • 12.4. Snort.conf to Suricata.yaml
  • 12.5. Multi Tenancy
  • 12.6. Dropping Privileges After Startup
  • 12.7. Using Landlock LSM
  • 12.8. systemd notification
  • 12.9. Includes
• 13. Reputation
  • 13.1. IP Reputation
• 14. Init Scripts
• 15. Setting up IPS/inline for Linux
  • 15.1. Setting up IPS with Netfilter
  • 15.2. Setting up IPS at Layer 2
• 16. Setting up IPS/inline for Windows
• 17. Output
  • 17.1. EVE
  • 17.2. Lua Output
  • 17.3. Syslog Alerting Compatibility
  • 17.4. Custom http logging
  • 17.5. Custom tls logging
  • 17.6. Log Rotation
• 18. Lua support
  • 18.1. Lua usage in Suricata
  • 18.2. Lua functions
  • 18.3. Lua Libraries
• 19. File Extraction
  • 19.1. Architecture
  • 19.2. Settings
  • 19.3. Output
  • 19.4. Rules
  • 19.5. MD5
  • 19.6. Updating Filestore Configuration
• 20. Public Data Sets
• 21. Using Capture Hardware
  • 21.1. Endace DAG
  • 21.2. Napatech
  • 21.3. Myricom
  • 21.4. eBPF and XDP
  • 21.5. Netmap
  • 21.6. AF_XDP
  • 21.7. DPDK
• 22. Interacting via Unix Socket
  • 22.1. Introduction
  • 22.2. Commands in standard running mode
  • 22.3. Commands on the cmd prompt
  • 22.4. PCAP processing mode
  • 22.5. Build your own client
• 23. Plugins
  • 23.1. nDPI
• 24. Firewall Mode
  • 24.1. Firewall Mode Design
  • 24.2. Firewall Ruleset Examples
• 25. 3rd Party Integration
  • 25.1. Symantec SSL Visibility (BlueCoat)
• 26. Man Pages
  • 26.1. Suricata
  • 26.2. Suricata Socket Control
  • 26.3. Suricata Control
  • 26.4. Suricata Control Filestore
• 27. Acknowledgements
• 28. Licenses
  • 28.1. GNU General Public License
  • 28.2. Creative Commons Attribution-NonCommercial 4.0 International Public License
  • 28.3. Suricata Source Code
  • 28.4. Suricata Documentation
• 29. Suricata Developer Guide
  • 29.1. Working with the Codebase
  • 29.2. Contributing
  • 29.3. Suricata Internals
  • 29.4. Extending Suricata
  • 29.5. LibSuricata and Plugins
  • 29.6. Upgrading
• 30. Verifying Suricata Source Distribution Files
  • 30.1. Verification Steps
• 31. Appendix
  • 31.1. EVE Index