suricata 命令

常用示例

说明

suricata is a high-performance Network IDS, IPS, and Network Security Monitoring engine. It inspects network traffic using signature-based detection, protocol analysis, and anomaly detection to identify threats and security events. Suricata can operate in three modes: IDS (passive monitoring), IPS (inline blocking using NFQUEUE or netfilter), and network security monitoring (logging and metadata extraction). It supports multiple capture methods including AF_PACKET, PF_RING, NETMAP, and standard pcap. The engine uses multi-threading for high-performance packet processing and supports Lua scripting for custom detection logic. It is compatible with Snort rules and can process the Emerging Threats ruleset. Output formats include EVE JSON for SIEM integration, fast log, unified2, and various protocol-specific logs.

参数

-c _file_

Path to configuration file.

-T

Test configuration and exit.

-i _interface_

Network interface for packet capture.

-r _file_

Read packets from pcap file (offline mode).

-q _queue_

Run inline using NFQUEUE queue ID.

-D

Run as daemon in background.

-l _dir_

Set default log directory.

-s _file_

Load additional signature file.

-S _file_

Load signatures exclusively from file.

-v

Increase verbosity (can be used multiple times).

-V

Display version information.

--user _user_

Run as specified user after initialization.

--group _group_

Run as specified group after initialization.

--pidfile _file_

Write process ID to file.

--runmode _mode_

Set runmode: workers, autofp, or single.

--af-packet _interface_

Enable AF_PACKET capture.

--netmap _interface_

Enable NETMAP capture.

--pfring _interface_

Enable PF_RING capture.

-F _file_

Use BPF filter from file.

-k _mode_

Checksum check: all, none, or auto.

--set _name=value_

Override a configuration value (e.g., --set default-log-dir=/tmp).

-h, --help

Display help information.